From 93ba17285d8afb0d6e4040bf443e88ca4ad5147e Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Sun, 26 Sep 2010 11:39:36 -0700 Subject: [PATCH] s4-tests: Added tests for search checks on attributes The ACL reach tests are in the knowfail because aclread module is not enabled by default --- source4/dsdb/tests/python/acl.py | 105 +++++++++++++++++++++++++++++++++++++-- source4/selftest/knownfail | 2 + 2 files changed, 102 insertions(+), 5 deletions(-) diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index 3897a60c378..ae51044c604 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -716,8 +716,13 @@ class AclSearchTests(AclTests): self.u2 = "search_u2" self.u3 = "search_u3" self.group1 = "group1" - self.anonymous = SamDB(url=host, session_info=system_session(), - lp=lp) + self.creds_tmp = Credentials() + self.creds_tmp.set_username("") + self.creds_tmp.set_password("") + self.creds_tmp.set_domain(creds.get_domain()) + self.creds_tmp.set_realm(creds.get_realm()) + self.creds_tmp.set_workstation(creds.get_workstation()) + self.anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp); res = self.ldb_admin.search("CN=Directory Service, CN=Windows NT, CN=Services, " + self.configuration_dn, scope=SCOPE_BASE, attrs=["dSHeuristics"]) if "dSHeuristics" in res[0]: @@ -769,7 +774,6 @@ class AclSearchTests(AclTests): def tearDown(self): super(AclSearchTests, self).tearDown() - self.set_dsheuristics(self.dsheuristics) self.delete_force(self.ldb_admin, "OU=test_search_ou2,OU=test_search_ou1," + self.base_dn) self.delete_force(self.ldb_admin, "OU=test_search_ou1," + self.base_dn) self.delete_force(self.ldb_admin, "OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn) @@ -838,9 +842,10 @@ class AclSearchTests(AclTests): self.assertEquals(len(res), 1) self.assertTrue("dn" in res[0]) self.assertTrue(res[0]["dn"] == Dn(self.ldb_admin, self.configuration_dn)) + self.set_dsheuristics(self.dsheuristics) def test_search1(self): - """Make sure users can see ous if given LC to user and group""" + """Make sure users can see us if given LC to user and group""" self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;;LC;;;%s)(A;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace("OU=ou1," + self.base_dn, mod) @@ -879,7 +884,7 @@ class AclSearchTests(AclTests): self.assertEquals(sorted(res_list), sorted(self.full_list)) def test_search2(self): - """Make sure users can't see ous if access is explicitly denied""" + """Make sure users can't see us if access is explicitly denied""" self.create_clean_ou("OU=ou1," + self.base_dn) self.create_ou(self.ldb_admin, "OU=ou2,OU=ou1," + self.base_dn) self.create_ou(self.ldb_admin, "OU=ou3,OU=ou2,OU=ou1," + self.base_dn) @@ -926,6 +931,15 @@ class AclSearchTests(AclTests): self.create_ou(self.ldb_admin, "OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn, "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") + print "Testing correct behavior on nonaccessible search base" + try: + self.ldb_user3.search("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", + scope=SCOPE_BASE) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + else: + self.fail() + mod = "(D;;LC;;;%s)(D;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) @@ -985,6 +999,85 @@ class AclSearchTests(AclTests): res_list = [ x["dn"] for x in res if x["dn"] in ok_list ] self.assertEquals(sorted(res_list), sorted(ok_list)) + def test_search5(self): + """Make sure users can see only attributes they are allowed to see""" + self.create_clean_ou("OU=ou1," + self.base_dn) + mod = "(A;CI;LC;;;%s)" % (str(self.user_sid)) + self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.create_ou(self.ldb_admin, "OU=ou2,OU=ou1," + self.base_dn, + "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) + # assert user can only see dn + res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", + scope=SCOPE_SUBTREE) + ok_list = ['dn'] + self.assertEquals(len(res), 1) + res_list = res[0].keys() + self.assertEquals(res_list, ok_list) + + res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", + scope=SCOPE_BASE, attrs=["ou"]) + + self.assertEquals(len(res), 1) + res_list = res[0].keys() + self.assertEquals(res_list, ok_list) + + #give read property on ou and assert user can only see dn and ou + mod = "(OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % (str(self.user_sid)) + self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", + scope=SCOPE_SUBTREE) + ok_list = ['dn', 'ou'] + self.assertEquals(len(res), 1) + res_list = res[0].keys() + self.assertEquals(sorted(res_list), sorted(ok_list)) + + #give read property on Public Information and assert user can see ou and other members + mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;%s)" % (str(self.user_sid)) + self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", + scope=SCOPE_SUBTREE) + + ok_list = ['dn', 'objectClass', 'ou', 'distinguishedName', 'name', 'objectGUID', 'objectCategory'] + res_list = res[0].keys() + self.assertEquals(sorted(res_list), sorted(ok_list)) + + def test_search6(self): + """If an attribute that cannot be read is used in a filter, it is as if the attribute does not exist""" + self.create_clean_ou("OU=ou1," + self.base_dn) + mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid)) + self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.create_ou(self.ldb_admin, "OU=ou2,OU=ou1," + self.base_dn, + "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod) + self.create_ou(self.ldb_user, "OU=ou3,OU=ou2,OU=ou1," + self.base_dn, + "D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)") + + res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou3)", + scope=SCOPE_SUBTREE) + #nothing should be returned as ou is not accessible + self.assertEquals(res, []) + + #give read property on ou and assert user can only see dn and ou + mod = "(OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % (str(self.user_sid)) + self.dacl_add_ace("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, mod) + res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou3)", + scope=SCOPE_SUBTREE) + self.assertEquals(len(res), 1) + ok_list = ['dn', 'ou'] + res_list = res[0].keys() + self.assertEquals(sorted(res_list), sorted(ok_list)) + + #give read property on Public Information and assert user can see ou and other members + mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;%s)" % (str(self.user_sid)) + self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou2)", + scope=SCOPE_SUBTREE) + self.assertEquals(len(res), 1) + ok_list = ['dn', 'objectClass', 'ou', 'distinguishedName', 'name', 'objectGUID', 'objectCategory'] + res_list = res[0].keys() + self.assertEquals(sorted(res_list), sorted(ok_list)) + #tests on ldap delete operations class AclDeleteTests(AclTests): @@ -1546,5 +1639,7 @@ if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful(): rc = 1 if not runner.run(unittest.makeSuite(AclCARTests)).wasSuccessful(): rc = 1 +if not runner.run(unittest.makeSuite(AclSearchTests)).wasSuccessful(): + rc = 1 sys.exit(rc) diff --git a/source4/selftest/knownfail b/source4/selftest/knownfail index caff2f557f8..971e9c638c2 100644 --- a/source4/selftest/knownfail +++ b/source4/selftest/knownfail @@ -78,3 +78,5 @@ samba4.smb2.acls.*.OWNER samba4.smb2.compound.*.RELATED1 samba4.smb2.compound.*.RELATED2 samba4.smb2.compound.*.INVALID2 +samba4.ldap.acl.*.search.* # ACL search behaviour not enabled by default + -- 2.11.4.GIT