search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/sec_descriptor: the default owner behavior depends on domainControllerFunctiona...
[Samba/gebeck_regimport.git] / source4 / dsdb / tests / python / sec_descriptor.py
blob10d37187a56db2f18bf9cca31930bec5f9a6799d
1 #!/usr/bin/env python
2 # -*- coding: utf-8 -*-
3
4 import optparse
5 import sys
6 import os
7 import base64
8 import re
9 import random
10
11 sys.path.insert(0, "bin/python")
12 import samba
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
20
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
24
25 from samba import gensec, sd_utils
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials, DONT_USE_KERBEROS
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
33 import samba.tests
34 from samba.tests import delete_force
35 import unittest
36
37 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
38 sambaopts = options.SambaOptions(parser)
39 parser.add_option_group(sambaopts)
40 parser.add_option_group(options.VersionOptions(parser))
41
42 # use command line creds if available
43 credopts = options.CredentialsOptions(parser)
44 parser.add_option_group(credopts)
45 opts, args = parser.parse_args()
46
47 if len(args) < 1:
48 parser.print_usage()
49 sys.exit(1)
50
51 host = args[0]
52
53 lp = sambaopts.get_loadparm()
54 creds = credopts.get_credentials(lp)
55 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
56
57 #
58 # Tests start here
59 #
60
61 class DescriptorTests(samba.tests.TestCase):
62
63 def get_users_domain_dn(self, name):
64 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
65
66 def get_unique_schema_class_name(self):
67 while True:
68 class_name = "test-class%s" % random.randint(1,100000)
69 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
70 try:
71 self.ldb_admin.search(base=class_dn, attrs=["*"])
72 except LdbError, (num, _):
73 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
74 return class_name
75
76 def create_schema_class(self, _ldb, object_dn, desc=None):
77 ldif = """
78 dn: """ + object_dn + """
79 objectClass: classSchema
80 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
81 defaultObjectCategory: """ + object_dn + """
82 distinguishedName: """ + object_dn + """
83 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
84 instanceType: 4
85 objectClassCategory: 1
86 subClassOf: organizationalPerson
87 systemFlags: 16
88 rDNAttID: cn
89 systemMustContain: cn
90 systemOnly: FALSE
91 """
92 if desc:
93 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
94 if isinstance(desc, str):
95 ldif += "nTSecurityDescriptor: %s" % desc
96 elif isinstance(desc, security.descriptor):
97 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
98 _ldb.add_ldif(ldif)
99
100 def create_configuration_container(self, _ldb, object_dn, desc=None):
101 ldif = """
102 dn: """ + object_dn + """
103 objectClass: container
104 objectCategory: CN=Container,""" + self.schema_dn + """
105 showInAdvancedViewOnly: TRUE
106 instanceType: 4
107 """
108 if desc:
109 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
110 if isinstance(desc, str):
111 ldif += "nTSecurityDescriptor: %s" % desc
112 elif isinstance(desc, security.descriptor):
113 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
114 _ldb.add_ldif(ldif)
115
116 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
117 ldif = """
118 dn: """ + object_dn + """
119 objectClass: displaySpecifier
120 showInAdvancedViewOnly: TRUE
121 """
122 if desc:
123 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
124 if isinstance(desc, str):
125 ldif += "nTSecurityDescriptor: %s" % desc
126 elif isinstance(desc, security.descriptor):
127 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
128 _ldb.add_ldif(ldif)
129
130 def get_ldb_connection(self, target_username, target_password):
131 creds_tmp = Credentials()
132 creds_tmp.set_username(target_username)
133 creds_tmp.set_password(target_password)
134 creds_tmp.set_domain(creds.get_domain())
135 creds_tmp.set_realm(creds.get_realm())
136 creds_tmp.set_workstation(creds.get_workstation())
137 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
138 | gensec.FEATURE_SEAL)
139 creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
140 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
141 return ldb_target
142
143 def setUp(self):
144 super(DescriptorTests, self).setUp()
145 self.ldb_admin = ldb
146 self.base_dn = ldb.domain_dn()
147 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
148 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
149 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
150 self.sd_utils = sd_utils.SDUtils(ldb)
151 print "baseDN: %s" % self.base_dn
152
153 ################################################################################################
154
155 ## Tests for DOMAIN
156
157 # Default descriptor tests #####################################################################
158
159 class OwnerGroupDescriptorTests(DescriptorTests):
160
161 def deleteAll(self):
162 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
163 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
164 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
165 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
166 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
167 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
168 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
169 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
170 # DOMAIN
171 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
172 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
173 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
174 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
175 # SCHEMA
176 # CONFIGURATION
177 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
178 + self.configuration_dn)
179 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
180
181 def setUp(self):
182 super(OwnerGroupDescriptorTests, self).setUp()
183 self.deleteAll()
184 ### Create users
185 # User 1 - Enterprise Admins
186 self.ldb_admin.newuser("testuser1", "samba123@")
187 # User 2 - Domain Admins
188 self.ldb_admin.newuser("testuser2", "samba123@")
189 # User 3 - Schema Admins
190 self.ldb_admin.newuser("testuser3", "samba123@")
191 # User 4 - regular user
192 self.ldb_admin.newuser("testuser4", "samba123@")
193 # User 5 - Enterprise Admins and Domain Admins
194 self.ldb_admin.newuser("testuser5", "samba123@")
195 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
196 self.ldb_admin.newuser("testuser6", "samba123@")
197 # User 7 - Domain Admins and Schema Admins
198 self.ldb_admin.newuser("testuser7", "samba123@")
199 # User 5 - Enterprise Admins and Schema Admins
200 self.ldb_admin.newuser("testuser8", "samba123@")
201
202 self.ldb_admin.add_remove_group_members("Enterprise Admins",
203 ["testuser1", "testuser5", "testuser6", "testuser8"],
204 add_members_operation=True)
205 self.ldb_admin.add_remove_group_members("Domain Admins",
206 ["testuser2","testuser5","testuser6","testuser7"],
207 add_members_operation=True)
208 self.ldb_admin.add_remove_group_members("Schema Admins",
209 ["testuser3","testuser6","testuser7","testuser8"],
210 add_members_operation=True)
211
212 self.results = {
213 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
214 "ds_behavior_win2003" : {
215 "100" : "O:EAG:DU",
216 "101" : "O:DAG:DU",
217 "102" : "O:%sG:DU",
218 "103" : "O:%sG:DU",
219 "104" : "O:DAG:DU",
220 "105" : "O:DAG:DU",
221 "106" : "O:DAG:DU",
222 "107" : "O:EAG:DU",
223 "108" : "O:DAG:DA",
224 "109" : "O:DAG:DA",
225 "110" : "O:%sG:DA",
226 "111" : "O:%sG:DA",
227 "112" : "O:DAG:DA",
228 "113" : "O:DAG:DA",
229 "114" : "O:DAG:DA",
230 "115" : "O:DAG:DA",
231 "130" : "O:EAG:DU",
232 "131" : "O:DAG:DU",
233 "132" : "O:SAG:DU",
234 "133" : "O:%sG:DU",
235 "134" : "O:EAG:DU",
236 "135" : "O:SAG:DU",
237 "136" : "O:SAG:DU",
238 "137" : "O:SAG:DU",
239 "138" : "O:DAG:DA",
240 "139" : "O:DAG:DA",
241 "140" : "O:%sG:DA",
242 "141" : "O:%sG:DA",
243 "142" : "O:DAG:DA",
244 "143" : "O:DAG:DA",
245 "144" : "O:DAG:DA",
246 "145" : "O:DAG:DA",
247 "160" : "O:EAG:DU",
248 "161" : "O:DAG:DU",
249 "162" : "O:%sG:DU",
250 "163" : "O:%sG:DU",
251 "164" : "O:EAG:DU",
252 "165" : "O:EAG:DU",
253 "166" : "O:DAG:DU",
254 "167" : "O:EAG:DU",
255 "168" : "O:DAG:DA",
256 "169" : "O:DAG:DA",
257 "170" : "O:%sG:DA",
258 "171" : "O:%sG:DA",
259 "172" : "O:DAG:DA",
260 "173" : "O:DAG:DA",
261 "174" : "O:DAG:DA",
262 "175" : "O:DAG:DA",
263 },
264 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
265 "ds_behavior_win2008" : {
266 "100" : "O:EAG:EA",
267 "101" : "O:DAG:DA",
268 "102" : "O:%sG:DU",
269 "103" : "O:%sG:DU",
270 "104" : "O:DAG:DA",
271 "105" : "O:DAG:DA",
272 "106" : "O:DAG:DA",
273 "107" : "O:EAG:EA",
274 "108" : "O:DAG:DA",
275 "109" : "O:DAG:DA",
276 "110" : "O:%sG:DA",
277 "111" : "O:%sG:DA",
278 "112" : "O:DAG:DA",
279 "113" : "O:DAG:DA",
280 "114" : "O:DAG:DA",
281 "115" : "O:DAG:DA",
282 "130" : "O:EAG:EA",
283 "131" : "O:DAG:DA",
284 "132" : "O:SAG:SA",
285 "133" : "O:%sG:DU",
286 "134" : "O:EAG:EA",
287 "135" : "O:SAG:SA",
288 "136" : "O:SAG:SA",
289 "137" : "O:SAG:SA",
290 "138" : "",
291 "139" : "",
292 "140" : "O:%sG:DA",
293 "141" : "O:%sG:DA",
294 "142" : "",
295 "143" : "",
296 "144" : "",
297 "145" : "",
298 "160" : "O:EAG:EA",
299 "161" : "O:DAG:DA",
300 "162" : "O:%sG:DU",
301 "163" : "O:%sG:DU",
302 "164" : "O:EAG:EA",
303 "165" : "O:EAG:EA",
304 "166" : "O:DAG:DA",
305 "167" : "O:EAG:EA",
306 "168" : "O:DAG:DA",
307 "169" : "O:DAG:DA",
308 "170" : "O:%sG:DA",
309 "171" : "O:%sG:DA",
310 "172" : "O:DAG:DA",
311 "173" : "O:DAG:DA",
312 "174" : "O:DAG:DA",
313 "175" : "O:DAG:DA",
314 },
315 }
316 # Discover 'domainControllerFunctionality'
317 res = self.ldb_admin.search(base="", scope=SCOPE_BASE,
318 attrs=['domainControllerFunctionality'])
319 res = int(res[0]['domainControllerFunctionality'][0])
320 if res < DS_DOMAIN_FUNCTION_2008:
321 self.DS_BEHAVIOR = "ds_behavior_win2003"
322 else:
323 self.DS_BEHAVIOR = "ds_behavior_win2008"
324
325 def tearDown(self):
326 super(DescriptorTests, self).tearDown()
327 self.deleteAll()
328
329 def check_user_belongs(self, user_dn, groups=[]):
330 """ Test wether user is member of the expected group(s) """
331 if groups != []:
332 # User is member of at least one additional group
333 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
334 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
335 expected = []
336 for x in groups:
337 expected.append(self.get_users_domain_dn(x))
338 expected = [x.upper() for x in sorted(expected)]
339 self.assertEqual(expected, res)
340 else:
341 # User is not a member of any additional groups but default
342 res = self.ldb_admin.search(user_dn, attrs=["*"])
343 res = [x.upper() for x in res[0].keys()]
344 self.assertFalse( "MEMBEROF" in res)
345
346 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
347 # Modify
348 sd_user_utils = sd_utils.SDUtils(_ldb)
349 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
350 if owner_group != "":
351 sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
352 else:
353 sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
354 # Make sure the modify operation has been applied
355 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
356 self.assertTrue(ace in desc_sddl)
357 # Make sure we have identical result for both "add" and "modify"
358 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
359 print self._testMethodName
360 test_number = self._testMethodName[5:]
361 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
362
363 def test_100(self):
364 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
365 """
366 user_name = "testuser1"
367 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
368 # Open Ldb connection with the tested user
369 _ldb = self.get_ldb_connection(user_name, "samba123@")
370 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
371 delete_force(self.ldb_admin, object_dn)
372 _ldb.newgroup("test_domain_group1", grouptype=4)
373 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
374 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
375 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
376 self.check_modify_inheritance(_ldb, object_dn)
377
378 def test_101(self):
379 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
380 """
381 user_name = "testuser2"
382 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
383 # Open Ldb connection with the tested user
384 _ldb = self.get_ldb_connection(user_name, "samba123@")
385 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
386 delete_force(self.ldb_admin, object_dn)
387 _ldb.newgroup("test_domain_group1", grouptype=4)
388 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
389 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
390 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
391 self.check_modify_inheritance(_ldb, object_dn)
392
393 def test_102(self):
394 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
395 """
396 user_name = "testuser3"
397 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
398 # Open Ldb connection with the tested user
399 _ldb = self.get_ldb_connection(user_name, "samba123@")
400 object_dn = "OU=test_domain_ou1," + self.base_dn
401 delete_force(self.ldb_admin, object_dn)
402 self.ldb_admin.create_ou(object_dn)
403 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
404 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
405 self.sd_utils.dacl_add_ace(object_dn, mod)
406 # Create additional object into the first one
407 object_dn = "CN=test_domain_user1," + object_dn
408 delete_force(self.ldb_admin, object_dn)
409 _ldb.newuser("test_domain_user1", "samba123@",
410 userou="OU=test_domain_ou1", setpassword=False)
411 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
412 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
413 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
414 # This fails, research why
415 #self.check_modify_inheritance(_ldb, object_dn)
416
417 def test_103(self):
418 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
419 """
420 user_name = "testuser4"
421 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
422 # Open Ldb connection with the tested user
423 _ldb = self.get_ldb_connection(user_name, "samba123@")
424 object_dn = "OU=test_domain_ou1," + self.base_dn
425 delete_force(self.ldb_admin, object_dn)
426 self.ldb_admin.create_ou(object_dn)
427 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
428 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
429 self.sd_utils.dacl_add_ace(object_dn, mod)
430 # Create additional object into the first one
431 object_dn = "CN=test_domain_user1," + object_dn
432 delete_force(self.ldb_admin, object_dn)
433 _ldb.newuser("test_domain_user1", "samba123@",
434 userou="OU=test_domain_ou1", setpassword=False)
435 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
436 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
437 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
438 #this fails, research why
439 #self.check_modify_inheritance(_ldb, object_dn)
440
441 def test_104(self):
442 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
443 """
444 user_name = "testuser5"
445 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
446 # Open Ldb connection with the tested user
447 _ldb = self.get_ldb_connection(user_name, "samba123@")
448 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
449 delete_force(self.ldb_admin, object_dn)
450 _ldb.newgroup("test_domain_group1", grouptype=4)
451 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
452 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
453 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
454 self.check_modify_inheritance(_ldb, object_dn)
455
456 def test_105(self):
457 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
458 """
459 user_name = "testuser6"
460 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
461 # Open Ldb connection with the tested user
462 _ldb = self.get_ldb_connection(user_name, "samba123@")
463 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
464 delete_force(self.ldb_admin, object_dn)
465 _ldb.newgroup("test_domain_group1", grouptype=4)
466 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
467 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
468 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
469 self.check_modify_inheritance(_ldb, object_dn)
470
471 def test_106(self):
472 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
473 """
474 user_name = "testuser7"
475 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
476 # Open Ldb connection with the tested user
477 _ldb = self.get_ldb_connection(user_name, "samba123@")
478 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
479 delete_force(self.ldb_admin, object_dn)
480 _ldb.newgroup("test_domain_group1", grouptype=4)
481 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
482 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
483 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
484 self.check_modify_inheritance(_ldb, object_dn)
485
486 def test_107(self):
487 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
488 """
489 user_name = "testuser8"
490 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
491 # Open Ldb connection with the tested user
492 _ldb = self.get_ldb_connection(user_name, "samba123@")
493 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
494 delete_force(self.ldb_admin, object_dn)
495 _ldb.newgroup("test_domain_group1", grouptype=4)
496 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
497 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
498 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
499 self.check_modify_inheritance(_ldb, object_dn)
500
501 # Control descriptor tests #####################################################################
502
503 def test_108(self):
504 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
505 """
506 user_name = "testuser1"
507 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
508 # Open Ldb connection with the tested user
509 _ldb = self.get_ldb_connection(user_name, "samba123@")
510 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
511 delete_force(self.ldb_admin, object_dn)
512 # Create a custom security descriptor
513 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
514 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
515 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
516 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
517 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
518 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
519
520 def test_109(self):
521 """ Domain admin group member creates object (custom descriptor) in DOMAIN
522 """
523 user_name = "testuser2"
524 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
525 # Open Ldb connection with the tested user
526 _ldb = self.get_ldb_connection(user_name, "samba123@")
527 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
528 delete_force(self.ldb_admin, object_dn)
529 # Create a custom security descriptor
530 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
531 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
532 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
533 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
534 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
535 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
536
537 def test_110(self):
538 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
539 """
540 user_name = "testuser3"
541 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
542 # Open Ldb connection with the tested user
543 _ldb = self.get_ldb_connection(user_name, "samba123@")
544 object_dn = "OU=test_domain_ou1," + self.base_dn
545 delete_force(self.ldb_admin, object_dn)
546 self.ldb_admin.create_ou(object_dn)
547 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
548 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
549 self.sd_utils.dacl_add_ace(object_dn, mod)
550 # Create a custom security descriptor
551 # NB! Problematic owner part won't accept DA only <User Sid> !!!
552 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
553 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
554 # Create additional object into the first one
555 object_dn = "CN=test_domain_user1," + object_dn
556 delete_force(self.ldb_admin, object_dn)
557 _ldb.newuser("test_domain_user1", "samba123@",
558 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
559 desc = self.sd_utils.read_sd_on_dn(object_dn)
560 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
561 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
562 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
563
564 def test_111(self):
565 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
566 """
567 user_name = "testuser4"
568 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
569 # Open Ldb connection with the tested user
570 _ldb = self.get_ldb_connection(user_name, "samba123@")
571 object_dn = "OU=test_domain_ou1," + self.base_dn
572 delete_force(self.ldb_admin, object_dn)
573 self.ldb_admin.create_ou(object_dn)
574 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
575 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
576 self.sd_utils.dacl_add_ace(object_dn, mod)
577 # Create a custom security descriptor
578 # NB! Problematic owner part won't accept DA only <User Sid> !!!
579 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
580 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
581 # Create additional object into the first one
582 object_dn = "CN=test_domain_user1," + object_dn
583 delete_force(self.ldb_admin, object_dn)
584 _ldb.newuser("test_domain_user1", "samba123@",
585 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
586 desc = self.sd_utils.read_sd_on_dn(object_dn)
587 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
588 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
589 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
590
591 def test_112(self):
592 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
593 """
594 user_name = "testuser5"
595 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
596 # Open Ldb connection with the tested user
597 _ldb = self.get_ldb_connection(user_name, "samba123@")
598 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
599 delete_force(self.ldb_admin, object_dn)
600 # Create a custom security descriptor
601 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
602 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
603 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
604 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
605 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
606 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
607
608 def test_113(self):
609 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
610 """
611 user_name = "testuser6"
612 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
613 # Open Ldb connection with the tested user
614 _ldb = self.get_ldb_connection(user_name, "samba123@")
615 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
616 delete_force(self.ldb_admin, object_dn)
617 # Create a custom security descriptor
618 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
619 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
620 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
621 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
622 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
623 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
624
625 def test_114(self):
626 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
627 """
628 user_name = "testuser7"
629 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
630 # Open Ldb connection with the tested user
631 _ldb = self.get_ldb_connection(user_name, "samba123@")
632 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
633 delete_force(self.ldb_admin, object_dn)
634 # Create a custom security descriptor
635 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
636 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
637 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
638 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
639 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
640 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
641
642 def test_115(self):
643 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
644 """
645 user_name = "testuser8"
646 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
647 # Open Ldb connection with the tested user
648 _ldb = self.get_ldb_connection(user_name, "samba123@")
649 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
650 delete_force(self.ldb_admin, object_dn)
651 # Create a custom security descriptor
652 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
653 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
654 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
655 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
656 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
657 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
658
659 def test_999(self):
660 user_name = "Administrator"
661 object_dn = "OU=test_domain_ou1," + self.base_dn
662 delete_force(self.ldb_admin, object_dn)
663 self.ldb_admin.create_ou(object_dn)
664 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
665 mod = "(D;CI;WP;;;S-1-3-0)"
666 #mod = ""
667 self.sd_utils.dacl_add_ace(object_dn, mod)
668 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
669 # Create additional object into the first one
670 object_dn = "OU=test_domain_ou2," + object_dn
671 delete_force(self.ldb_admin, object_dn)
672 self.ldb_admin.create_ou(object_dn)
673 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
674
675 ## Tests for SCHEMA
676
677 # Defalt descriptor tests ##################################################################
678
679 def test_130(self):
680 user_name = "testuser1"
681 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
682 # Open Ldb connection with the tested user
683 _ldb = self.get_ldb_connection(user_name, "samba123@")
684 # Change Schema partition descriptor
685 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
686 mod = "(A;;WDCC;;;AU)"
687 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
688 # Create example Schema class
689 class_name = self.get_unique_schema_class_name()
690 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
691 self.create_schema_class(_ldb, class_dn)
692 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
693 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
694 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
695 self.check_modify_inheritance(_ldb, class_dn)
696
697 def test_131(self):
698 user_name = "testuser2"
699 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
700 # Open Ldb connection with the tested user
701 _ldb = self.get_ldb_connection(user_name, "samba123@")
702 # Change Schema partition descriptor
703 mod = "(A;CI;WDCC;;;AU)"
704 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
705 # Create example Schema class
706 class_name = self.get_unique_schema_class_name()
707 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
708 self.create_schema_class(_ldb, class_dn)
709 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
710 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
711 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
712 self.check_modify_inheritance(_ldb, class_dn)
713
714 def test_132(self):
715 user_name = "testuser3"
716 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
717 # Open Ldb connection with the tested user
718 _ldb = self.get_ldb_connection(user_name, "samba123@")
719 # Change Schema partition descriptor
720 mod = "(A;CI;WDCC;;;AU)"
721 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
722 # Create example Schema class
723 class_name = self.get_unique_schema_class_name()
724 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
725 self.create_schema_class(_ldb, class_dn)
726 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
727 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
728 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
729 #self.check_modify_inheritance(_ldb, class_dn)
730
731 def test_133(self):
732 user_name = "testuser4"
733 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
734 # Open Ldb connection with the tested user
735 _ldb = self.get_ldb_connection(user_name, "samba123@")
736 #Change Schema partition descriptor
737 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
738 mod = "(A;CI;WDCC;;;AU)"
739 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
740 # Create example Schema class
741 class_name = self.get_unique_schema_class_name()
742 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
743 self.create_schema_class(_ldb, class_dn)
744 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
745 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
746 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
747 #self.check_modify_inheritance(_ldb, class_dn)
748
749 def test_134(self):
750 user_name = "testuser5"
751 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
752 # Open Ldb connection with the tested user
753 _ldb = self.get_ldb_connection(user_name, "samba123@")
754 #Change Schema partition descriptor
755 mod = "(A;CI;WDCC;;;AU)"
756 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
757 # Create example Schema class
758 class_name = self.get_unique_schema_class_name()
759 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
760 self.create_schema_class(_ldb, class_dn)
761 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
762 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
763 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
764 self.check_modify_inheritance(_ldb, class_dn)
765
766 def test_135(self):
767 user_name = "testuser6"
768 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
769 # Open Ldb connection with the tested user
770 _ldb = self.get_ldb_connection(user_name, "samba123@")
771 # Change Schema partition descriptor
772 mod = "(A;CI;WDCC;;;AU)"
773 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
774 # Create example Schema class
775 class_name = self.get_unique_schema_class_name()
776 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
777 self.create_schema_class(_ldb, class_dn)
778 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
779 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
780 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
781 self.check_modify_inheritance(_ldb, class_dn)
782
783 def test_136(self):
784 user_name = "testuser7"
785 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
786 # Open Ldb connection with the tested user
787 _ldb = self.get_ldb_connection(user_name, "samba123@")
788 # Change Schema partition descriptor
789 mod = "(A;CI;WDCC;;;AU)"
790 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
791 # Create example Schema class
792 class_name = self.get_unique_schema_class_name()
793 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
794 self.create_schema_class(_ldb, class_dn)
795 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
796 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
797 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
798 self.check_modify_inheritance(_ldb, class_dn)
799
800 def test_137(self):
801 user_name = "testuser8"
802 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
803 # Open Ldb connection with the tested user
804 _ldb = self.get_ldb_connection(user_name, "samba123@")
805 # Change Schema partition descriptor
806 mod = "(A;CI;WDCC;;;AU)"
807 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
808 # Create example Schema class
809 class_name = self.get_unique_schema_class_name()
810 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
811 self.create_schema_class(_ldb, class_dn)
812 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
813 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
814 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
815 self.check_modify_inheritance(_ldb, class_dn)
816
817 # Custom descriptor tests ##################################################################
818
819 def test_138(self):
820 user_name = "testuser1"
821 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
822 # Open Ldb connection with the tested user
823 _ldb = self.get_ldb_connection(user_name, "samba123@")
824 # Change Schema partition descriptor
825 mod = "(A;;CC;;;AU)"
826 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
827 # Create a custom security descriptor
828 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
829 # Create example Schema class
830 class_name = self.get_unique_schema_class_name()
831 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
832 self.create_schema_class(_ldb, class_dn, desc_sddl)
833 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
834 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
835 self.assertEqual("O:DAG:DA", res)
836
837 def test_139(self):
838 user_name = "testuser2"
839 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
840 # Open Ldb connection with the tested user
841 _ldb = self.get_ldb_connection(user_name, "samba123@")
842 # Change Schema partition descriptor
843 mod = "(A;;CC;;;AU)"
844 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
845 # Create a custom security descriptor
846 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
847 # Create example Schema class
848 class_name = self.get_unique_schema_class_name()
849 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
850 self.create_schema_class(_ldb, class_dn, desc_sddl)
851 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
852 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
853 self.assertEqual("O:DAG:DA", res)
854
855 def test_140(self):
856 user_name = "testuser3"
857 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
858 # Open Ldb connection with the tested user
859 _ldb = self.get_ldb_connection(user_name, "samba123@")
860 # Create a custom security descriptor
861 # NB! Problematic owner part won't accept DA only <User Sid> !!!
862 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
863 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
864 # Create example Schema class
865 class_name = self.get_unique_schema_class_name()
866 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
867 self.create_schema_class(_ldb, class_dn, desc_sddl)
868 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
869 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
870 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
871
872 def test_141(self):
873 user_name = "testuser4"
874 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
875 # Open Ldb connection with the tested user
876 _ldb = self.get_ldb_connection(user_name, "samba123@")
877 # Create a custom security descriptor
878 # NB! Problematic owner part won't accept DA only <User Sid> !!!
879 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
880 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
881 # Create example Schema class
882 class_name = self.get_unique_schema_class_name()
883 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
884 self.create_schema_class(_ldb, class_dn, desc_sddl)
885 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
886 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
887 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
888
889 def test_142(self):
890 user_name = "testuser5"
891 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
892 # Open Ldb connection with the tested user
893 _ldb = self.get_ldb_connection(user_name, "samba123@")
894 # Change Schema partition descriptor
895 mod = "(A;;CC;;;AU)"
896 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
897 # Create a custom security descriptor
898 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
899 # Create example Schema class
900 class_name = self.get_unique_schema_class_name()
901 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
902 self.create_schema_class(_ldb, class_dn, desc_sddl)
903 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
904 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
905 self.assertEqual("O:DAG:DA", res)
906
907 def test_143(self):
908 user_name = "testuser6"
909 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
910 # Open Ldb connection with the tested user
911 _ldb = self.get_ldb_connection(user_name, "samba123@")
912 # Change Schema partition descriptor
913 mod = "(A;;CC;;;AU)"
914 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
915 # Create a custom security descriptor
916 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
917 # Create example Schema class
918 class_name = self.get_unique_schema_class_name()
919 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
920 self.create_schema_class(_ldb, class_dn, desc_sddl)
921 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
922 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
923 self.assertEqual("O:DAG:DA", res)
924
925 def test_144(self):
926 user_name = "testuser7"
927 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
928 # Open Ldb connection with the tested user
929 _ldb = self.get_ldb_connection(user_name, "samba123@")
930 # Change Schema partition descriptor
931 mod = "(A;;CC;;;AU)"
932 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
933 # Create a custom security descriptor
934 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
935 # Create example Schema class
936 class_name = self.get_unique_schema_class_name()
937 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
938 self.create_schema_class(_ldb, class_dn, desc_sddl)
939 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
940 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
941 self.assertEqual("O:DAG:DA", res)
942
943 def test_145(self):
944 user_name = "testuser8"
945 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
946 # Open Ldb connection with the tested user
947 _ldb = self.get_ldb_connection(user_name, "samba123@")
948 # Change Schema partition descriptor
949 mod = "(A;;CC;;;AU)"
950 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
951 # Create a custom security descriptor
952 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
953 # Create example Schema class
954 class_name = self.get_unique_schema_class_name()
955 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
956 self.create_schema_class(_ldb, class_dn, desc_sddl)
957 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
958 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
959 self.assertEqual("O:DAG:DA", res)
960
961 ## Tests for CONFIGURATION
962
963 # Defalt descriptor tests ##################################################################
964
965 def test_160(self):
966 user_name = "testuser1"
967 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
968 # Open Ldb connection with the tested user
969 _ldb = self.get_ldb_connection(user_name, "samba123@")
970 # Create example Configuration container
971 container_name = "test-container1"
972 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
973 delete_force(self.ldb_admin, object_dn)
974 self.create_configuration_container(_ldb, object_dn, )
975 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
976 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
977 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
978 self.check_modify_inheritance(_ldb, object_dn)
979
980 def test_161(self):
981 user_name = "testuser2"
982 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
983 # Open Ldb connection with the tested user
984 _ldb = self.get_ldb_connection(user_name, "samba123@")
985 # Create example Configuration container
986 container_name = "test-container1"
987 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
988 delete_force(self.ldb_admin, object_dn)
989 self.create_configuration_container(_ldb, object_dn, )
990 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
991 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
992 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
993 self.check_modify_inheritance(_ldb, object_dn)
994
995 def test_162(self):
996 user_name = "testuser3"
997 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
998 # Open Ldb connection with the tested user
999 _ldb = self.get_ldb_connection(user_name, "samba123@")
1000 # Create example Configuration container
1001 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1002 delete_force(self.ldb_admin, object_dn)
1003 self.create_configuration_container(self.ldb_admin, object_dn, )
1004 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1005 mod = "(A;;WDCC;;;AU)"
1006 self.sd_utils.dacl_add_ace(object_dn, mod)
1007 # Create child object with user's credentials
1008 object_dn = "CN=test-specifier1," + object_dn
1009 delete_force(self.ldb_admin, object_dn)
1010 self.create_configuration_specifier(_ldb, object_dn)
1011 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1012 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1013 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1014 #self.check_modify_inheritance(_ldb, object_dn)
1015
1016 def test_163(self):
1017 user_name = "testuser4"
1018 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1019 # Open Ldb connection with the tested user
1020 _ldb = self.get_ldb_connection(user_name, "samba123@")
1021 # Create example Configuration container
1022 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1023 delete_force(self.ldb_admin, object_dn)
1024 self.create_configuration_container(self.ldb_admin, object_dn, )
1025 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1026 mod = "(A;CI;WDCC;;;AU)"
1027 self.sd_utils.dacl_add_ace(object_dn, mod)
1028 # Create child object with user's credentials
1029 object_dn = "CN=test-specifier1," + object_dn
1030 delete_force(self.ldb_admin, object_dn)
1031 self.create_configuration_specifier(_ldb, object_dn)
1032 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1033 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1034 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1035 #self.check_modify_inheritance(_ldb, object_dn)
1036
1037 def test_164(self):
1038 user_name = "testuser5"
1039 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1040 # Open Ldb connection with the tested user
1041 _ldb = self.get_ldb_connection(user_name, "samba123@")
1042 # Create example Configuration container
1043 container_name = "test-container1"
1044 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1045 delete_force(self.ldb_admin, object_dn)
1046 self.create_configuration_container(_ldb, object_dn, )
1047 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1048 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1049 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1050 self.check_modify_inheritance(_ldb, object_dn)
1051
1052 def test_165(self):
1053 user_name = "testuser6"
1054 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1055 # Open Ldb connection with the tested user
1056 _ldb = self.get_ldb_connection(user_name, "samba123@")
1057 # Create example Configuration container
1058 container_name = "test-container1"
1059 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1060 delete_force(self.ldb_admin, object_dn)
1061 self.create_configuration_container(_ldb, object_dn, )
1062 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1063 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1064 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1065 self.check_modify_inheritance(_ldb, object_dn)
1066
1067 def test_166(self):
1068 user_name = "testuser7"
1069 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1070 # Open Ldb connection with the tested user
1071 _ldb = self.get_ldb_connection(user_name, "samba123@")
1072 # Create example Configuration container
1073 container_name = "test-container1"
1074 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1075 delete_force(self.ldb_admin, object_dn)
1076 self.create_configuration_container(_ldb, object_dn, )
1077 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1078 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1079 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1080 self.check_modify_inheritance(_ldb, object_dn)
1081
1082 def test_167(self):
1083 user_name = "testuser8"
1084 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1085 # Open Ldb connection with the tested user
1086 _ldb = self.get_ldb_connection(user_name, "samba123@")
1087 # Create example Configuration container
1088 container_name = "test-container1"
1089 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1090 delete_force(self.ldb_admin, object_dn)
1091 self.create_configuration_container(_ldb, object_dn, )
1092 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1093 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1094 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1095 self.check_modify_inheritance(_ldb, object_dn)
1096
1097 # Custom descriptor tests ##################################################################
1098
1099 def test_168(self):
1100 user_name = "testuser1"
1101 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1102 # Open Ldb connection with the tested user
1103 _ldb = self.get_ldb_connection(user_name, "samba123@")
1104 # Create example Configuration container
1105 container_name = "test-container1"
1106 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1107 delete_force(self.ldb_admin, object_dn)
1108 # Create a custom security descriptor
1109 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1110 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1111 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1112 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1113 self.assertEqual("O:DAG:DA", res)
1114
1115 def test_169(self):
1116 user_name = "testuser2"
1117 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1118 # Open Ldb connection with the tested user
1119 _ldb = self.get_ldb_connection(user_name, "samba123@")
1120 # Create example Configuration container
1121 container_name = "test-container1"
1122 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1123 delete_force(self.ldb_admin, object_dn)
1124 # Create a custom security descriptor
1125 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1126 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1127 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1128 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1129 self.assertEqual("O:DAG:DA", res)
1130
1131 def test_170(self):
1132 user_name = "testuser3"
1133 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1134 # Open Ldb connection with the tested user
1135 _ldb = self.get_ldb_connection(user_name, "samba123@")
1136 # Create example Configuration container
1137 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1138 delete_force(self.ldb_admin, object_dn)
1139 self.create_configuration_container(self.ldb_admin, object_dn, )
1140 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1141 mod = "(A;;CC;;;AU)"
1142 self.sd_utils.dacl_add_ace(object_dn, mod)
1143 # Create child object with user's credentials
1144 object_dn = "CN=test-specifier1," + object_dn
1145 delete_force(self.ldb_admin, object_dn)
1146 # Create a custom security descriptor
1147 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1148 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1149 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1150 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1151 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1152 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1153
1154 def test_171(self):
1155 user_name = "testuser4"
1156 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1157 # Open Ldb connection with the tested user
1158 _ldb = self.get_ldb_connection(user_name, "samba123@")
1159 # Create example Configuration container
1160 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1161 delete_force(self.ldb_admin, object_dn)
1162 self.create_configuration_container(self.ldb_admin, object_dn, )
1163 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1164 mod = "(A;;CC;;;AU)"
1165 self.sd_utils.dacl_add_ace(object_dn, mod)
1166 # Create child object with user's credentials
1167 object_dn = "CN=test-specifier1," + object_dn
1168 delete_force(self.ldb_admin, object_dn)
1169 # Create a custom security descriptor
1170 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1171 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1172 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1173 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1174 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1175 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1176
1177 def test_172(self):
1178 user_name = "testuser5"
1179 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1180 # Open Ldb connection with the tested user
1181 _ldb = self.get_ldb_connection(user_name, "samba123@")
1182 # Create example Configuration container
1183 container_name = "test-container1"
1184 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1185 delete_force(self.ldb_admin, object_dn)
1186 # Create a custom security descriptor
1187 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1188 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1189 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1190 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1191 self.assertEqual("O:DAG:DA", res)
1192
1193 def test_173(self):
1194 user_name = "testuser6"
1195 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1196 # Open Ldb connection with the tested user
1197 _ldb = self.get_ldb_connection(user_name, "samba123@")
1198 # Create example Configuration container
1199 container_name = "test-container1"
1200 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1201 delete_force(self.ldb_admin, object_dn)
1202 # Create a custom security descriptor
1203 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1204 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1205 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1206 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1207 self.assertEqual("O:DAG:DA", res)
1208
1209 def test_174(self):
1210 user_name = "testuser7"
1211 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1212 # Open Ldb connection with the tested user
1213 _ldb = self.get_ldb_connection(user_name, "samba123@")
1214 # Create example Configuration container
1215 container_name = "test-container1"
1216 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1217 delete_force(self.ldb_admin, object_dn)
1218 # Create a custom security descriptor
1219 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1220 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1221 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1222 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1223 self.assertEqual("O:DAG:DA", res)
1224
1225 def test_175(self):
1226 user_name = "testuser8"
1227 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1228 # Open Ldb connection with the tested user
1229 _ldb = self.get_ldb_connection(user_name, "samba123@")
1230 # Create example Configuration container
1231 container_name = "test-container1"
1232 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1233 delete_force(self.ldb_admin, object_dn)
1234 # Create a custom security descriptor
1235 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1236 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1237 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1238 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1239 self.assertEqual("O:DAG:DA", res)
1240
1241 ########################################################################################
1242 # Inheritance tests for DACL
1243
1244 class DaclDescriptorTests(DescriptorTests):
1245
1246 def deleteAll(self):
1247 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1248 delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1249 delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1250 delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1251 delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1252 delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
1253 delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
1254 delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
1255 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1256
1257 def setUp(self):
1258 super(DaclDescriptorTests, self).setUp()
1259 self.deleteAll()
1260
1261 def create_clean_ou(self, object_dn):
1262 """ Base repeating setup for unittests to follow """
1263 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1264 expression="distinguishedName=%s" % object_dn)
1265 # Make sure top testing OU has been deleted before starting the test
1266 self.assertEqual(len(res), 0)
1267 self.ldb_admin.create_ou(object_dn)
1268 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1269 # Make sure there are inheritable ACEs initially
1270 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1271 # Find and remove all inherit ACEs
1272 res = re.findall("\(.*?\)", desc_sddl)
1273 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1274 for x in res:
1275 desc_sddl = desc_sddl.replace(x, "")
1276 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1277 # can propagate from above
1278 # remove SACL, we are not interested
1279 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1280 self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1281 # Verify all inheritable ACEs are gone
1282 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1283 self.assertFalse("CI" in desc_sddl)
1284 self.assertFalse("OI" in desc_sddl)
1285
1286 def test_200(self):
1287 """ OU with protected flag and child group. See if the group has inherit ACEs.
1288 """
1289 ou_dn = "OU=test_inherit_ou," + self.base_dn
1290 group_dn = "CN=test_inherit_group," + ou_dn
1291 # Create inheritable-free OU
1292 self.create_clean_ou(ou_dn)
1293 # Create group child object
1294 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1295 # Make sure created group object contains NO inherit ACEs
1296 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1297 self.assertFalse("ID" in desc_sddl)
1298
1299 def test_201(self):
1300 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1301 Verify group has custom and default ACEs only.
1302 """
1303 ou_dn = "OU=test_inherit_ou," + self.base_dn
1304 group_dn = "CN=test_inherit_group," + ou_dn
1305 # Create inheritable-free OU
1306 self.create_clean_ou(ou_dn)
1307 # Create group child object using custom security descriptor
1308 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1309 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1310 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1311 # Make sure created group descriptor has NO additional ACEs
1312 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1313 self.assertEqual(desc_sddl, sddl)
1314 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1315 self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1316 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1317 self.assertEqual(desc_sddl, sddl)
1318
1319 def test_202(self):
1320 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1321 See if the group has any of the added ACEs.
1322 """
1323 ou_dn = "OU=test_inherit_ou," + self.base_dn
1324 group_dn = "CN=test_inherit_group," + ou_dn
1325 # Create inheritable-free OU
1326 self.create_clean_ou(ou_dn)
1327 # Add some custom non-inheritable ACEs
1328 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1329 moded = "(D;;CC;;;LG)"
1330 self.sd_utils.dacl_add_ace(ou_dn, mod)
1331 # Verify all inheritable ACEs are gone
1332 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1333 # Create group child object
1334 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1335 # Make sure created group object contains NO inherit ACEs
1336 # also make sure the added above non-inheritable ACEs are absent too
1337 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1338 self.assertFalse("ID" in desc_sddl)
1339 for x in re.findall("\(.*?\)", mod):
1340 self.assertFalse(x in desc_sddl)
1341 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1342 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1343 self.assertFalse("ID" in desc_sddl)
1344 for x in re.findall("\(.*?\)", mod):
1345 self.assertFalse(x in desc_sddl)
1346
1347 def test_203(self):
1348 """ OU with protected flag and add 'CI' ACE, child group.
1349 See if the group has the added inherited ACE.
1350 """
1351 ou_dn = "OU=test_inherit_ou," + self.base_dn
1352 group_dn = "CN=test_inherit_group," + ou_dn
1353 # Create inheritable-free OU
1354 self.create_clean_ou(ou_dn)
1355 # Add some custom 'CI' ACE
1356 mod = "(D;CI;WP;;;DU)"
1357 moded = "(D;;CC;;;LG)"
1358 self.sd_utils.dacl_add_ace(ou_dn, mod)
1359 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1360 # Create group child object
1361 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1362 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1363 # Make sure created group object contains only the above inherited ACE
1364 # that we've added manually
1365 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1366 mod = mod.replace(";CI;", ";CIID;")
1367 self.assertTrue(mod in desc_sddl)
1368 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1369 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1370 self.assertTrue(moded in desc_sddl)
1371 self.assertTrue(mod in desc_sddl)
1372
1373 def test_204(self):
1374 """ OU with protected flag and add 'OI' ACE, child group.
1375 See if the group has the added inherited ACE.
1376 """
1377 ou_dn = "OU=test_inherit_ou," + self.base_dn
1378 group_dn = "CN=test_inherit_group," + ou_dn
1379 # Create inheritable-free OU
1380 self.create_clean_ou(ou_dn)
1381 # Add some custom 'CI' ACE
1382 mod = "(D;OI;WP;;;DU)"
1383 moded = "(D;;CC;;;LG)"
1384 self.sd_utils.dacl_add_ace(ou_dn, mod)
1385 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1386 # Create group child object
1387 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1388 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1389 # Make sure created group object contains only the above inherited ACE
1390 # that we've added manually
1391 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1392 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1393 self.assertTrue(mod in desc_sddl)
1394 self.sd_utils.modify_sd_on_dn(group_dn, "D:" +moded)
1395 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1396 self.assertTrue(moded in desc_sddl)
1397 self.assertTrue(mod in desc_sddl)
1398
1399 def test_205(self):
1400 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1401 See if the group has the added inherited ACE.
1402 """
1403 ou_dn = "OU=test_inherit_ou," + self.base_dn
1404 group_dn = "CN=test_inherit_group," + ou_dn
1405 # Create inheritable-free OU
1406 self.create_clean_ou(ou_dn)
1407 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1408 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1409 moded = "(D;;CC;;;LG)"
1410 self.sd_utils.dacl_add_ace(ou_dn, mod)
1411 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1412 # Create group child object
1413 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1414 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1415 # Make sure created group object contains only the above inherited ACE
1416 # that we've added manually
1417 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1418 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1419 self.assertTrue(mod in desc_sddl)
1420 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1421 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1422 self.assertTrue(moded in desc_sddl)
1423 self.assertTrue(mod in desc_sddl)
1424
1425 def test_206(self):
1426 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1427 See if the group has the added inherited ACE.
1428 """
1429 ou_dn = "OU=test_inherit_ou," + self.base_dn
1430 group_dn = "CN=test_inherit_group," + ou_dn
1431 # Create inheritable-free OU
1432 self.create_clean_ou(ou_dn)
1433 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1434 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1435 moded = "(D;;CC;;;LG)"
1436 self.sd_utils.dacl_add_ace(ou_dn, mod)
1437 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1438 # Create group child object
1439 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1440 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1441 # Make sure created group object contains only the above inherited ACE
1442 # that we've added manually
1443 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1444 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1445 self.assertTrue(mod in desc_sddl)
1446 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1447 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1448 self.assertTrue(moded in desc_sddl)
1449 self.assertTrue(mod in desc_sddl)
1450
1451 def test_207(self):
1452 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1453 See if the group has the added inherited ACE.
1454 """
1455 ou_dn = "OU=test_inherit_ou," + self.base_dn
1456 group_dn = "CN=test_inherit_group," + ou_dn
1457 # Create inheritable-free OU
1458 self.create_clean_ou(ou_dn)
1459 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1460 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1461 moded = "(D;;CC;;;LG)"
1462 self.sd_utils.dacl_add_ace(ou_dn, mod)
1463 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1464 # Create group child object
1465 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1466 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1467 # Make sure created group object contains only the above inherited ACE
1468 # that we've added manually
1469 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1470 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1471 self.assertTrue(mod in desc_sddl)
1472 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1473 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1474 self.assertTrue(moded in desc_sddl)
1475 self.assertTrue(mod in desc_sddl)
1476
1477 def test_208(self):
1478 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1479 See if the group has the added inherited ACE.
1480 """
1481 ou_dn = "OU=test_inherit_ou," + self.base_dn
1482 group_dn = "CN=test_inherit_group," + ou_dn
1483 # Create inheritable-free OU
1484 self.create_clean_ou(ou_dn)
1485 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1486 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1487 moded = "(D;;CC;;;LG)"
1488 self.sd_utils.dacl_add_ace(ou_dn, mod)
1489 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1490 # Create group child object
1491 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1492 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1493 # Make sure created group object contains only the above inherited ACE
1494 # that we've added manually
1495 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1496 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1497 self.assertTrue(mod in desc_sddl)
1498 self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1499 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1500 self.assertTrue(moded in desc_sddl)
1501 self.assertTrue(mod in desc_sddl)
1502
1503 def test_209(self):
1504 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1505 See if the group has the added inherited ACE.
1506 """
1507 ou_dn = "OU=test_inherit_ou," + self.base_dn
1508 group_dn = "CN=test_inherit_group," + ou_dn
1509 # Create inheritable-free OU
1510 self.create_clean_ou(ou_dn)
1511 # Add some custom 'CI' ACE
1512 mod = "(D;CI;WP;;;CO)"
1513 moded = "(D;;CC;;;LG)"
1514 self.sd_utils.dacl_add_ace(ou_dn, mod)
1515 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1516 # Create group child object
1517 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1518 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1519 # Make sure created group object contains only the above inherited ACE(s)
1520 # that we've added manually
1521 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1522 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1523 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1524 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1525 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1526 self.assertTrue(moded in desc_sddl)
1527 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1528 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1529
1530 def test_210(self):
1531 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1532 """
1533 ou_dn = "OU=test_inherit_ou," + self.base_dn
1534 group_dn = "CN=test_inherit_group," + ou_dn
1535 self.create_clean_ou(ou_dn)
1536 # Add some custom ACE
1537 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1538 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1539 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1540 # Make sure created group object does not contain the ID ace
1541 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1542 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1543
1544 def test_211(self):
1545 """ Provide ACE with CO SID, should be expanded and replaced
1546 """
1547 ou_dn = "OU=test_inherit_ou," + self.base_dn
1548 group_dn = "CN=test_inherit_group," + ou_dn
1549 # Create inheritable-free OU
1550 self.create_clean_ou(ou_dn)
1551 # Add some custom 'CI' ACE
1552 mod = "D:(D;CI;WP;;;CO)"
1553 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1554 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1555 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1556 self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
1557 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1558
1559 def test_212(self):
1560 """ Provide ACE with IO flag, should be ignored
1561 """
1562 ou_dn = "OU=test_inherit_ou," + self.base_dn
1563 group_dn = "CN=test_inherit_group," + ou_dn
1564 # Create inheritable-free OU
1565 self.create_clean_ou(ou_dn)
1566 # Add some custom 'CI' ACE
1567 mod = "D:(D;CIIO;WP;;;CO)"
1568 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1569 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1570 # Make sure created group object contains only the above inherited ACE(s)
1571 # that we've added manually
1572 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1573 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1574 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1575 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1576
1577 def test_213(self):
1578 """ Provide ACE with IO flag, should be ignored
1579 """
1580 ou_dn = "OU=test_inherit_ou," + self.base_dn
1581 group_dn = "CN=test_inherit_group," + ou_dn
1582 # Create inheritable-free OU
1583 self.create_clean_ou(ou_dn)
1584 mod = "D:(D;IO;WP;;;DA)"
1585 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1586 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1587 # Make sure created group object contains only the above inherited ACE(s)
1588 # that we've added manually
1589 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1590 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1591
1592 def test_214(self):
1593 """ Test behavior of ACEs containing generic rights
1594 """
1595 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1596 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1597 ou_dn2 = "OU=test_inherit_ou2," + ou_dn
1598 ou_dn3 = "OU=test_inherit_ou3," + ou_dn
1599 ou_dn4 = "OU=test_inherit_ou4," + ou_dn
1600 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1601 ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
1602 # Create inheritable-free OU
1603 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1604 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1605 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1606 mod = "D:(A;CI;GA;;;DU)"
1607 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1608 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1609 mod = "D:(A;CIIO;GA;;;DU)"
1610 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1611 self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
1612 mod = "D:(A;;GA;;;DU)"
1613 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1614 self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
1615 mod = "D:(A;IO;GA;;;DU)"
1616 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1617 self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
1618
1619 self.ldb_admin.create_ou(ou_dn5)
1620 self.ldb_admin.create_ou(ou_dn6)
1621
1622 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
1623 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1624 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1625 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
1626 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1627 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1628 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
1629 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1630 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1631 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
1632 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1633 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1634 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1635 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1636 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1637 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
1638 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1639 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1640
1641 def test_215(self):
1642 """ Make sure IO flag is removed in child objects
1643 """
1644 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1645 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1646 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1647 # Create inheritable-free OU
1648 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1649 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1650 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1651 mod = "D:(A;CIIO;WP;;;DU)"
1652 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1653 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1654 self.ldb_admin.create_ou(ou_dn5)
1655 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1656 self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
1657 self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
1658
1659 def test_216(self):
1660 """ Make sure ID ACES provided by user are ignored
1661 """
1662 ou_dn = "OU=test_inherit_ou," + self.base_dn
1663 group_dn = "CN=test_inherit_group," + ou_dn
1664 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1665 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1666 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1667 # Add some custom ACE
1668 mod = "D:(D;ID;WP;;;AU)"
1669 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1670 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1671 # Make sure created group object does not contain the ID ace
1672 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1673 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1674 self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
1675
1676 def test_217(self):
1677 """ Make sure ID ACES provided by user are not ignored if P flag is set
1678 """
1679 ou_dn = "OU=test_inherit_ou," + self.base_dn
1680 group_dn = "CN=test_inherit_group," + ou_dn
1681 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1682 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1683 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1684 # Add some custom ACE
1685 mod = "D:P(A;ID;WP;;;AU)"
1686 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1687 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1688 # Make sure created group object does not contain the ID ace
1689 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1690 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1691 self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
1692
1693 ########################################################################################
1694
1695
1696 class SdFlagsDescriptorTests(DescriptorTests):
1697 def deleteAll(self):
1698 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1699
1700 def setUp(self):
1701 super(SdFlagsDescriptorTests, self).setUp()
1702 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1703 self.deleteAll()
1704
1705 def test_301(self):
1706 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1707 See that only the owner has been changed.
1708 """
1709 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1710 self.ldb_admin.create_ou(ou_dn)
1711 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1712 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1713 # make sure we have modified the owner
1714 self.assertTrue("O:AU" in desc_sddl)
1715 # make sure nothing else has been modified
1716 self.assertFalse("G:AU" in desc_sddl)
1717 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1718 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1719
1720 def test_302(self):
1721 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1722 See that only the owner has been changed.
1723 """
1724 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1725 self.ldb_admin.create_ou(ou_dn)
1726 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1727 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1728 # make sure we have modified the group
1729 self.assertTrue("G:AU" in desc_sddl)
1730 # make sure nothing else has been modified
1731 self.assertFalse("O:AU" in desc_sddl)
1732 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1733 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1734
1735 def test_303(self):
1736 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1737 See that only the owner has been changed.
1738 """
1739 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1740 self.ldb_admin.create_ou(ou_dn)
1741 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1742 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1743 # make sure we have modified the DACL
1744 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1745 # make sure nothing else has been modified
1746 self.assertFalse("O:AU" in desc_sddl)
1747 self.assertFalse("G:AU" in desc_sddl)
1748 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1749
1750 def test_304(self):
1751 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1752 See that only the owner has been changed.
1753 """
1754 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1755 self.ldb_admin.create_ou(ou_dn)
1756 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1757 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1758 # make sure we have modified the DACL
1759 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1760 # make sure nothing else has been modified
1761 self.assertFalse("O:AU" in desc_sddl)
1762 self.assertFalse("G:AU" in desc_sddl)
1763 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1764
1765 def test_305(self):
1766 """ Modify a descriptor with 0x0 set.
1767 Contrary to logic this is interpreted as no control,
1768 which is the same as 0xF
1769 """
1770 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1771 self.ldb_admin.create_ou(ou_dn)
1772 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1773 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1774 # make sure we have modified the DACL
1775 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1776 # make sure nothing else has been modified
1777 self.assertTrue("O:AU" in desc_sddl)
1778 self.assertTrue("G:AU" in desc_sddl)
1779 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1780
1781 def test_306(self):
1782 """ Modify a descriptor with 0xF set.
1783 """
1784 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1785 self.ldb_admin.create_ou(ou_dn)
1786 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1787 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1788 # make sure we have modified the DACL
1789 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1790 # make sure nothing else has been modified
1791 self.assertTrue("O:AU" in desc_sddl)
1792 self.assertTrue("G:AU" in desc_sddl)
1793 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1794
1795 def test_307(self):
1796 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1797 Only the owner part should be returned.
1798 """
1799 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1800 self.ldb_admin.create_ou(ou_dn)
1801 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1802 # make sure we have read the owner
1803 self.assertTrue("O:" in desc_sddl)
1804 # make sure we have read nothing else
1805 self.assertFalse("G:" in desc_sddl)
1806 self.assertFalse("D:" in desc_sddl)
1807 self.assertFalse("S:" in desc_sddl)
1808
1809 def test_308(self):
1810 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1811 Only the group part should be returned.
1812 """
1813 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1814 self.ldb_admin.create_ou(ou_dn)
1815 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1816 # make sure we have read the owner
1817 self.assertTrue("G:" in desc_sddl)
1818 # make sure we have read nothing else
1819 self.assertFalse("O:" in desc_sddl)
1820 self.assertFalse("D:" in desc_sddl)
1821 self.assertFalse("S:" in desc_sddl)
1822
1823 def test_309(self):
1824 """ Read a descriptor with SACL_SECURITY_INFORMATION
1825 Only the sacl part should be returned.
1826 """
1827 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1828 self.ldb_admin.create_ou(ou_dn)
1829 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1830 # make sure we have read the owner
1831 self.assertTrue("S:" in desc_sddl)
1832 # make sure we have read nothing else
1833 self.assertFalse("O:" in desc_sddl)
1834 self.assertFalse("D:" in desc_sddl)
1835 self.assertFalse("G:" in desc_sddl)
1836
1837 def test_310(self):
1838 """ Read a descriptor with DACL_SECURITY_INFORMATION
1839 Only the dacl part should be returned.
1840 """
1841 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1842 self.ldb_admin.create_ou(ou_dn)
1843 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1844 # make sure we have read the owner
1845 self.assertTrue("D:" in desc_sddl)
1846 # make sure we have read nothing else
1847 self.assertFalse("O:" in desc_sddl)
1848 self.assertFalse("S:" in desc_sddl)
1849 self.assertFalse("G:" in desc_sddl)
1850
1851 def test_311(self):
1852 sd_flags = (SECINFO_OWNER |
1853 SECINFO_GROUP |
1854 SECINFO_DACL |
1855 SECINFO_SACL)
1856
1857 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1858 [], controls=None)
1859 self.assertFalse("nTSecurityDescriptor" in res[0])
1860
1861 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1862 ["name"], controls=None)
1863 self.assertFalse("nTSecurityDescriptor" in res[0])
1864
1865 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1866 ["name"], controls=["sd_flags:1:%d" % (sd_flags)])
1867 self.assertFalse("nTSecurityDescriptor" in res[0])
1868
1869 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1870 [], controls=["sd_flags:1:%d" % (sd_flags)])
1871 self.assertTrue("nTSecurityDescriptor" in res[0])
1872 tmp = res[0]["nTSecurityDescriptor"][0]
1873 sd = ndr_unpack(security.descriptor, tmp)
1874 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1875 self.assertTrue("O:" in sddl)
1876 self.assertTrue("G:" in sddl)
1877 self.assertTrue("D:" in sddl)
1878 self.assertTrue("S:" in sddl)
1879
1880 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1881 ["*"], controls=["sd_flags:1:%d" % (sd_flags)])
1882 self.assertTrue("nTSecurityDescriptor" in res[0])
1883 tmp = res[0]["nTSecurityDescriptor"][0]
1884 sd = ndr_unpack(security.descriptor, tmp)
1885 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1886 self.assertTrue("O:" in sddl)
1887 self.assertTrue("G:" in sddl)
1888 self.assertTrue("D:" in sddl)
1889 self.assertTrue("S:" in sddl)
1890
1891 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1892 ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)])
1893 self.assertTrue("nTSecurityDescriptor" in res[0])
1894 tmp = res[0]["nTSecurityDescriptor"][0]
1895 sd = ndr_unpack(security.descriptor, tmp)
1896 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1897 self.assertTrue("O:" in sddl)
1898 self.assertTrue("G:" in sddl)
1899 self.assertTrue("D:" in sddl)
1900 self.assertTrue("S:" in sddl)
1901
1902 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1903 ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1904 self.assertTrue("nTSecurityDescriptor" in res[0])
1905 tmp = res[0]["nTSecurityDescriptor"][0]
1906 sd = ndr_unpack(security.descriptor, tmp)
1907 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1908 self.assertTrue("O:" in sddl)
1909 self.assertTrue("G:" in sddl)
1910 self.assertTrue("D:" in sddl)
1911 self.assertTrue("S:" in sddl)
1912
1913 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1914 ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)])
1915 self.assertTrue("nTSecurityDescriptor" in res[0])
1916 tmp = res[0]["nTSecurityDescriptor"][0]
1917 sd = ndr_unpack(security.descriptor, tmp)
1918 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1919 self.assertTrue("O:" in sddl)
1920 self.assertTrue("G:" in sddl)
1921 self.assertTrue("D:" in sddl)
1922 self.assertTrue("S:" in sddl)
1923
1924 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1925 ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1926 self.assertTrue("nTSecurityDescriptor" in res[0])
1927 tmp = res[0]["nTSecurityDescriptor"][0]
1928 sd = ndr_unpack(security.descriptor, tmp)
1929 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1930 self.assertTrue("O:" in sddl)
1931 self.assertTrue("G:" in sddl)
1932 self.assertTrue("D:" in sddl)
1933 self.assertTrue("S:" in sddl)
1934
1935 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1936 ["nTSecurityDescriptor"], controls=None)
1937 self.assertTrue("nTSecurityDescriptor" in res[0])
1938 tmp = res[0]["nTSecurityDescriptor"][0]
1939 sd = ndr_unpack(security.descriptor, tmp)
1940 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1941 self.assertTrue("O:" in sddl)
1942 self.assertTrue("G:" in sddl)
1943 self.assertTrue("D:" in sddl)
1944 self.assertTrue("S:" in sddl)
1945
1946 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1947 ["name", "nTSecurityDescriptor"], controls=None)
1948 self.assertTrue("nTSecurityDescriptor" in res[0])
1949 tmp = res[0]["nTSecurityDescriptor"][0]
1950 sd = ndr_unpack(security.descriptor, tmp)
1951 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1952 self.assertTrue("O:" in sddl)
1953 self.assertTrue("G:" in sddl)
1954 self.assertTrue("D:" in sddl)
1955 self.assertTrue("S:" in sddl)
1956
1957 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1958 ["nTSecurityDescriptor", "name"], controls=None)
1959 self.assertTrue("nTSecurityDescriptor" in res[0])
1960 tmp = res[0]["nTSecurityDescriptor"][0]
1961 sd = ndr_unpack(security.descriptor, tmp)
1962 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1963 self.assertTrue("O:" in sddl)
1964 self.assertTrue("G:" in sddl)
1965 self.assertTrue("D:" in sddl)
1966 self.assertTrue("S:" in sddl)
1967
1968 def test_312(self):
1969 """This search is done by the windows dc join..."""
1970
1971 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"],
1972 controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
1973 self.assertFalse("nTSecurityDescriptor" in res[0])
1974
1975 class RightsAttributesTests(DescriptorTests):
1976
1977 def deleteAll(self):
1978 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1979 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1980 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1981
1982 def setUp(self):
1983 super(RightsAttributesTests, self).setUp()
1984 self.deleteAll()
1985 ### Create users
1986 # User 1
1987 self.ldb_admin.newuser("testuser_attr", "samba123@")
1988 # User 2, Domain Admins
1989 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1990 self.ldb_admin.add_remove_group_members("Domain Admins",
1991 ["testuser_attr2"],
1992 add_members_operation=True)
1993
1994 def test_sDRightsEffective(self):
1995 object_dn = "OU=test_domain_ou1," + self.base_dn
1996 delete_force(self.ldb_admin, object_dn)
1997 self.ldb_admin.create_ou(object_dn)
1998 print self.get_users_domain_dn("testuser_attr")
1999 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2000 #give testuser1 read access so attributes can be retrieved
2001 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2002 self.sd_utils.dacl_add_ace(object_dn, mod)
2003 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2004 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2005 attrs=["sDRightsEffective"])
2006 #user whould have no rights at all
2007 self.assertEquals(len(res), 1)
2008 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
2009 #give the user Write DACL and see what happens
2010 mod = "(A;CI;WD;;;%s)" % str(user_sid)
2011 self.sd_utils.dacl_add_ace(object_dn, mod)
2012 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2013 attrs=["sDRightsEffective"])
2014 #user whould have DACL_SECURITY_INFORMATION
2015 self.assertEquals(len(res), 1)
2016 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
2017 #give the user Write Owners and see what happens
2018 mod = "(A;CI;WO;;;%s)" % str(user_sid)
2019 self.sd_utils.dacl_add_ace(object_dn, mod)
2020 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2021 attrs=["sDRightsEffective"])
2022 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2023 self.assertEquals(len(res), 1)
2024 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
2025 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
2026 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
2027 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2028 attrs=["sDRightsEffective"])
2029 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2030 self.assertEquals(len(res), 1)
2031 self.assertEquals(res[0]["sDRightsEffective"][0], \
2032 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
2033
2034 def test_allowedChildClassesEffective(self):
2035 object_dn = "OU=test_domain_ou1," + self.base_dn
2036 delete_force(self.ldb_admin, object_dn)
2037 self.ldb_admin.create_ou(object_dn)
2038 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2039 #give testuser1 read access so attributes can be retrieved
2040 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2041 self.sd_utils.dacl_add_ace(object_dn, mod)
2042 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2043 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2044 attrs=["allowedChildClassesEffective"])
2045 #there should be no allowed child classes
2046 self.assertEquals(len(res), 1)
2047 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
2048 #give the user the right to create children of type user
2049 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2050 self.sd_utils.dacl_add_ace(object_dn, mod)
2051 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2052 attrs=["allowedChildClassesEffective"])
2053 # allowedChildClassesEffective should only have one value, user
2054 self.assertEquals(len(res), 1)
2055 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
2056 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
2057
2058 def test_allowedAttributesEffective(self):
2059 object_dn = "OU=test_domain_ou1," + self.base_dn
2060 delete_force(self.ldb_admin, object_dn)
2061 self.ldb_admin.create_ou(object_dn)
2062 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2063 #give testuser1 read access so attributes can be retrieved
2064 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2065 self.sd_utils.dacl_add_ace(object_dn, mod)
2066 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2067 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2068 attrs=["allowedAttributesEffective"])
2069 #there should be no allowed attributes
2070 self.assertEquals(len(res), 1)
2071 self.assertFalse("allowedAttributesEffective" in res[0].keys())
2072 #give the user the right to write displayName and managedBy
2073 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2074 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
2075 # also rights to modify an read only attribute, fromEntry
2076 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
2077 self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
2078 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2079 attrs=["allowedAttributesEffective"])
2080 # value should only contain user and managedBy
2081 self.assertEquals(len(res), 1)
2082 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
2083 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
2084 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
2085
2086 class SdAutoInheritTests(DescriptorTests):
2087 def deleteAll(self):
2088 delete_force(self.ldb_admin, self.sub_dn)
2089 delete_force(self.ldb_admin, self.ou_dn)
2090
2091 def setUp(self):
2092 super(SdAutoInheritTests, self).setUp()
2093 self.ou_dn = "OU=test_SdAutoInherit_ou," + self.base_dn
2094 self.sub_dn = "OU=test_sub," + self.ou_dn
2095 self.deleteAll()
2096
2097 def test_301(self):
2098 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2099 See that only the owner has been changed.
2100 """
2101 attrs = ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
2102 controls=["sd_flags:1:%d" % (SECINFO_DACL)]
2103 ace = "(A;CI;CC;;;NU)"
2104 sub_ace = "(A;CIID;CC;;;NU)"
2105 sd_sddl = "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
2106 sd = security.descriptor.from_sddl(sd_sddl, self.domain_sid)
2107
2108 self.ldb_admin.create_ou(self.ou_dn,sd=sd)
2109 self.ldb_admin.create_ou(self.sub_dn)
2110
2111 ou_res0 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2112 None, attrs, controls=controls)
2113 sub_res0 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2114 None, attrs, controls=controls)
2115
2116 ou_sd0 = ndr_unpack(security.descriptor, ou_res0[0]["nTSecurityDescriptor"][0])
2117 sub_sd0 = ndr_unpack(security.descriptor, sub_res0[0]["nTSecurityDescriptor"][0])
2118
2119 ou_sddl0 = ou_sd0.as_sddl(self.domain_sid)
2120 sub_sddl0 = sub_sd0.as_sddl(self.domain_sid)
2121
2122 self.assertFalse(ace in ou_sddl0)
2123 self.assertFalse(ace in sub_sddl0)
2124
2125 ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace +
2126 ou_sddl0[ou_sddl0.index("("):])
2127
2128 sub_sddl1 = (sub_sddl0[:sub_sddl0.index("(")] + ace +
2129 sub_sddl0[sub_sddl0.index("("):])
2130
2131 self.sd_utils.modify_sd_on_dn(self.ou_dn, ou_sddl1, controls=controls)
2132
2133 sub_res2 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2134 None, attrs, controls=controls)
2135 ou_res2 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2136 None, attrs, controls=controls)
2137
2138 ou_sd2 = ndr_unpack(security.descriptor, ou_res2[0]["nTSecurityDescriptor"][0])
2139 sub_sd2 = ndr_unpack(security.descriptor, sub_res2[0]["nTSecurityDescriptor"][0])
2140
2141 ou_sddl2 = ou_sd2.as_sddl(self.domain_sid)
2142 sub_sddl2 = sub_sd2.as_sddl(self.domain_sid)
2143
2144 self.assertFalse(ou_sddl2 == ou_sddl0)
2145 self.assertFalse(sub_sddl2 == sub_sddl0)
2146
2147 if ace not in ou_sddl2:
2148 print "ou0: %s" % ou_sddl0
2149 print "ou2: %s" % ou_sddl2
2150
2151 if sub_ace not in sub_sddl2:
2152 print "sub0: %s" % sub_sddl0
2153 print "sub2: %s" % sub_sddl2
2154
2155 self.assertTrue(ace in ou_sddl2)
2156 self.assertTrue(sub_ace in sub_sddl2)
2157
2158 ou_usn0 = int(ou_res0[0]["uSNChanged"][0])
2159 ou_usn2 = int(ou_res2[0]["uSNChanged"][0])
2160 self.assertTrue(ou_usn2 > ou_usn0)
2161
2162 sub_usn0 = int(sub_res0[0]["uSNChanged"][0])
2163 sub_usn2 = int(sub_res2[0]["uSNChanged"][0])
2164 self.assertTrue(sub_usn2 == sub_usn0)
2165
2166 if not "://" in host:
2167 if os.path.isfile(host):
2168 host = "tdb://%s" % host
2169 else:
2170 host = "ldap://%s" % host
2171
2172 # use 'paged_search' module when connecting remotely
2173 if host.lower().startswith("ldap://"):
2174 ldb_options = ["modules:paged_searches"]
2175
2176 ldb = SamDB(host,
2177 credentials=creds,
2178 session_info=system_session(lp),
2179 lp=lp,
2180 options=ldb_options)
2181
2182 runner = SubunitTestRunner()
2183 rc = 0
2184 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
2185 rc = 1
2186 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
2187 rc = 1
2188 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
2189 rc = 1
2190 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
2191 rc = 1
2192 if not runner.run(unittest.makeSuite(SdAutoInheritTests)).wasSuccessful():
2193 rc = 1
2194 sys.exit(rc)
reg import