2010-03-24 16:50:50 +11:00
#!/usr/bin/env python
2009-09-15 17:34:42 -07:00
# -*- coding: utf-8 -*-
import optparse
import sys
import os
import base64
import re
import random
sys . path . append ( " bin/python " )
2010-06-30 10:57:37 +02:00
import samba
samba . ensure_external_module ( " subunit " , " subunit/python " )
samba . ensure_external_module ( " testtools " , " testtools " )
2009-09-15 17:34:42 -07:00
import samba . getopt as options
# Some error messages that are being tested
2010-04-04 00:14:23 +02:00
from ldb import SCOPE_SUBTREE , SCOPE_BASE , LdbError , ERR_NO_SUCH_OBJECT
2009-09-15 17:34:42 -07:00
# For running the test unit
from samba . ndr import ndr_pack , ndr_unpack
from samba . dcerpc import security
2010-06-14 15:12:00 +03:00
from samba import gensec
from samba . samdb import SamDB
from samba . credentials import Credentials
2009-09-15 17:34:42 -07:00
from samba . auth import system_session
2010-04-04 00:14:23 +02:00
from samba . dsdb import DS_DOMAIN_FUNCTION_2008
2010-04-03 23:33:47 +02:00
from samba . dcerpc . security import (
SECINFO_OWNER , SECINFO_GROUP , SECINFO_DACL , SECINFO_SACL )
2010-01-08 02:09:20 +01:00
from subunit . run import SubunitTestRunner
2010-06-19 18:58:18 +02:00
import samba . tests
2009-09-15 17:34:42 -07:00
import unittest
2009-09-20 23:16:04 +02:00
parser = optparse . OptionParser ( " sec_descriptor [options] <host> " )
2009-09-15 17:34:42 -07:00
sambaopts = options . SambaOptions ( parser )
parser . add_option_group ( sambaopts )
parser . add_option_group ( options . VersionOptions ( parser ) )
# use command line creds if available
credopts = options . CredentialsOptions ( parser )
parser . add_option_group ( credopts )
opts , args = parser . parse_args ( )
if len ( args ) < 1 :
parser . print_usage ( )
sys . exit ( 1 )
host = args [ 0 ]
lp = sambaopts . get_loadparm ( )
creds = credopts . get_credentials ( lp )
2010-06-14 15:12:00 +03:00
creds . set_gensec_features ( creds . get_gensec_features ( ) | gensec . FEATURE_SEAL )
2009-09-15 17:34:42 -07:00
#
# Tests start here
#
2010-06-19 18:58:18 +02:00
class DescriptorTests ( samba . tests . TestCase ) :
2009-09-15 17:34:42 -07:00
def delete_force ( self , ldb , dn ) :
try :
ldb . delete ( dn )
except LdbError , ( num , _ ) :
self . assertEquals ( num , ERR_NO_SUCH_OBJECT )
def find_basedn ( self , ldb ) :
res = ldb . search ( base = " " , expression = " " , scope = SCOPE_BASE ,
attrs = [ " defaultNamingContext " ] )
self . assertEquals ( len ( res ) , 1 )
return res [ 0 ] [ " defaultNamingContext " ] [ 0 ]
def find_configurationdn ( self , ldb ) :
res = ldb . search ( base = " " , expression = " " , scope = SCOPE_BASE , attrs = [ " configurationNamingContext " ] )
self . assertEquals ( len ( res ) , 1 )
return res [ 0 ] [ " configurationNamingContext " ] [ 0 ]
def find_schemadn ( self , ldb ) :
res = ldb . search ( base = " " , expression = " " , scope = SCOPE_BASE , attrs = [ " schemaNamingContext " ] )
self . assertEquals ( len ( res ) , 1 )
return res [ 0 ] [ " schemaNamingContext " ] [ 0 ]
def find_domain_sid ( self , ldb ) :
res = ldb . search ( base = self . base_dn , expression = " (objectClass=*) " , scope = SCOPE_BASE )
return ndr_unpack ( security . dom_sid , res [ 0 ] [ " objectSid " ] [ 0 ] )
def get_users_domain_dn ( self , name ) :
return " CN= %s ,CN=Users, %s " % ( name , self . base_dn )
2009-11-20 13:25:13 +02:00
def modify_desc ( self , _ldb , object_dn , desc , controls = None ) :
2009-09-15 17:34:42 -07:00
assert ( isinstance ( desc , str ) or isinstance ( desc , security . descriptor ) )
mod = """
dn : """ + object_dn + """
changetype : modify
replace : nTSecurityDescriptor
"""
if isinstance ( desc , str ) :
mod + = " nTSecurityDescriptor: %s " % desc
elif isinstance ( desc , security . descriptor ) :
mod + = " nTSecurityDescriptor:: %s " % base64 . b64encode ( ndr_pack ( desc ) )
2009-11-20 13:25:13 +02:00
_ldb . modify_ldif ( mod , controls )
2009-09-15 17:34:42 -07:00
2009-11-20 13:25:13 +02:00
def create_domain_ou ( self , _ldb , ou_dn , desc = None , controls = None ) :
2009-09-15 17:34:42 -07:00
ldif = """
dn : """ + ou_dn + """
ou : """ + ou_dn.split( " , " )[0][3:] + """
objectClass : organizationalUnit
url : www . example . com
"""
if desc :
assert ( isinstance ( desc , str ) or isinstance ( desc , security . descriptor ) )
if isinstance ( desc , str ) :
ldif + = " nTSecurityDescriptor: %s " % desc
elif isinstance ( desc , security . descriptor ) :
ldif + = " nTSecurityDescriptor:: %s " % base64 . b64encode ( ndr_pack ( desc ) )
2009-11-20 13:25:13 +02:00
_ldb . add_ldif ( ldif , controls )
2009-09-15 17:34:42 -07:00
def create_domain_user ( self , _ldb , user_dn , desc = None ) :
ldif = """
dn : """ + user_dn + """
sAMAccountName : """ + user_dn.split( " , " )[0][3:] + """
objectClass : user
userPassword : samba123 @
url : www . example . com
"""
if desc :
assert ( isinstance ( desc , str ) or isinstance ( desc , security . descriptor ) )
if isinstance ( desc , str ) :
ldif + = " nTSecurityDescriptor: %s " % desc
elif isinstance ( desc , security . descriptor ) :
ldif + = " nTSecurityDescriptor:: %s " % base64 . b64encode ( ndr_pack ( desc ) )
_ldb . add_ldif ( ldif )
def create_domain_group ( self , _ldb , group_dn , desc = None ) :
ldif = """
dn : """ + group_dn + """
objectClass : group
sAMAccountName : """ + group_dn.split( " , " )[0][3:] + """
groupType : 4
url : www . example . com
"""
if desc :
assert ( isinstance ( desc , str ) or isinstance ( desc , security . descriptor ) )
if isinstance ( desc , str ) :
ldif + = " nTSecurityDescriptor: %s " % desc
elif isinstance ( desc , security . descriptor ) :
ldif + = " nTSecurityDescriptor:: %s " % base64 . b64encode ( ndr_pack ( desc ) )
_ldb . add_ldif ( ldif )
def get_unique_schema_class_name ( self ) :
while True :
class_name = " test-class %s " % random . randint ( 1 , 100000 )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
try :
self . ldb_admin . search ( base = class_dn , attrs = [ " * " ] )
except LdbError , ( num , _ ) :
self . assertEquals ( num , ERR_NO_SUCH_OBJECT )
return class_name
def create_schema_class ( self , _ldb , object_dn , desc = None ) :
ldif = """
dn : """ + object_dn + """
objectClass : classSchema
objectCategory : CN = Class - Schema , """ + self.schema_dn + """
defaultObjectCategory : """ + object_dn + """
distinguishedName : """ + object_dn + """
governsID : 1.2 .840 . """ + str(random.randint(1,100000)) + """ .1 .5 .9939
instanceType : 4
objectClassCategory : 1
subClassOf : organizationalPerson
systemFlags : 16
rDNAttID : cn
systemMustContain : cn
systemOnly : FALSE
"""
if desc :
assert ( isinstance ( desc , str ) or isinstance ( desc , security . descriptor ) )
if isinstance ( desc , str ) :
ldif + = " nTSecurityDescriptor: %s " % desc
elif isinstance ( desc , security . descriptor ) :
ldif + = " nTSecurityDescriptor:: %s " % base64 . b64encode ( ndr_pack ( desc ) )
_ldb . add_ldif ( ldif )
def create_configuration_container ( self , _ldb , object_dn , desc = None ) :
ldif = """
dn : """ + object_dn + """
objectClass : container
objectCategory : CN = Container , """ + self.schema_dn + """
showInAdvancedViewOnly : TRUE
instanceType : 4
"""
if desc :
assert ( isinstance ( desc , str ) or isinstance ( desc , security . descriptor ) )
if isinstance ( desc , str ) :
ldif + = " nTSecurityDescriptor: %s " % desc
elif isinstance ( desc , security . descriptor ) :
ldif + = " nTSecurityDescriptor:: %s " % base64 . b64encode ( ndr_pack ( desc ) )
_ldb . add_ldif ( ldif )
def create_configuration_specifier ( self , _ldb , object_dn , desc = None ) :
ldif = """
dn : """ + object_dn + """
objectClass : displaySpecifier
showInAdvancedViewOnly : TRUE
"""
if desc :
assert ( isinstance ( desc , str ) or isinstance ( desc , security . descriptor ) )
if isinstance ( desc , str ) :
ldif + = " nTSecurityDescriptor: %s " % desc
elif isinstance ( desc , security . descriptor ) :
ldif + = " nTSecurityDescriptor:: %s " % base64 . b64encode ( ndr_pack ( desc ) )
_ldb . add_ldif ( ldif )
2009-11-21 18:40:51 +02:00
def read_desc ( self , object_dn , controls = None ) :
res = self . ldb_admin . search ( base = object_dn , scope = SCOPE_BASE , attrs = [ " nTSecurityDescriptor " ] , controls = controls )
2009-09-15 17:34:42 -07:00
desc = res [ 0 ] [ " nTSecurityDescriptor " ] [ 0 ]
2009-11-10 15:58:52 +02:00
return ndr_unpack ( security . descriptor , desc )
2009-09-15 17:34:42 -07:00
2010-06-14 15:12:00 +03:00
def create_active_user ( self , _ldb , user_dn ) :
ldif = """
2009-09-15 17:34:42 -07:00
dn : """ + user_dn + """
2010-06-14 15:12:00 +03:00
sAMAccountName : """ + user_dn.split( " , " )[0][3:] + """
objectClass : user
unicodePwd : : """ + base64.b64encode( " \" samba123@ \" " .encode( ' utf-16-le ' )) + """
url : www . example . com
"""
_ldb . add_ldif ( ldif )
def add_user_to_group ( self , _ldb , username , groupname ) :
ldif = """
dn : """ + self.get_users_domain_dn(groupname) + """
2009-09-15 17:34:42 -07:00
changetype : modify
2010-06-14 15:12:00 +03:00
add : member
member : """ + self.get_users_domain_dn(username)
_ldb . modify_ldif ( ldif )
2009-09-15 17:34:42 -07:00
def get_ldb_connection ( self , target_username , target_password ) :
2010-06-14 15:12:00 +03:00
creds_tmp = Credentials ( )
creds_tmp . set_username ( target_username )
creds_tmp . set_password ( target_password )
creds_tmp . set_domain ( creds . get_domain ( ) )
creds_tmp . set_realm ( creds . get_realm ( ) )
creds_tmp . set_workstation ( creds . get_workstation ( ) )
creds_tmp . set_gensec_features ( creds_tmp . get_gensec_features ( )
| gensec . FEATURE_SEAL )
ldb_target = SamDB ( url = host , credentials = creds_tmp , lp = lp )
2009-09-15 17:34:42 -07:00
return ldb_target
def get_object_sid ( self , object_dn ) :
res = self . ldb_admin . search ( object_dn )
return ndr_unpack ( security . dom_sid , res [ 0 ] [ " objectSid " ] [ 0 ] )
def dacl_add_ace ( self , object_dn , ace ) :
desc = self . read_desc ( object_dn )
desc_sddl = desc . as_sddl ( self . domain_sid )
if ace in desc_sddl :
return
2009-09-20 13:50:34 -07:00
if desc_sddl . find ( " ( " ) > = 0 :
2009-11-15 19:26:02 +02:00
desc_sddl = desc_sddl [ : desc_sddl . index ( " ( " ) ] + ace + desc_sddl [ desc_sddl . index ( " ( " ) : ]
2009-09-20 13:50:34 -07:00
else :
desc_sddl = desc_sddl + ace
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , object_dn , desc_sddl )
2009-09-15 17:34:42 -07:00
2009-11-21 18:40:51 +02:00
def get_desc_sddl ( self , object_dn , controls = None ) :
2009-09-15 17:34:42 -07:00
""" Return object nTSecutiryDescriptor in SDDL format
"""
2009-11-21 18:40:51 +02:00
desc = self . read_desc ( object_dn , controls )
2009-09-15 17:34:42 -07:00
return desc . as_sddl ( self . domain_sid )
2010-06-14 15:12:00 +03:00
def create_enable_user ( self , username ) :
user_dn = self . get_users_domain_dn ( username )
self . create_active_user ( self . ldb_admin , user_dn )
self . ldb_admin . enable_account ( " (sAMAccountName= " + username + " ) " )
2009-09-15 17:34:42 -07:00
def setUp ( self ) :
2010-06-19 18:58:18 +02:00
super ( DescriptorTests , self ) . setUp ( )
2009-09-15 17:34:42 -07:00
self . ldb_admin = ldb
self . base_dn = self . find_basedn ( self . ldb_admin )
self . configuration_dn = self . find_configurationdn ( self . ldb_admin )
self . schema_dn = self . find_schemadn ( self . ldb_admin )
self . domain_sid = self . find_domain_sid ( self . ldb_admin )
print " baseDN: %s " % self . base_dn
################################################################################################
## Tests for DOMAIN
# Default descriptor tests #####################################################################
class OwnerGroupDescriptorTests ( DescriptorTests ) :
2010-01-08 10:00:35 +11:00
def deleteAll ( self ) :
2010-06-14 15:12:00 +03:00
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser1 " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser2 " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser3 " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser4 " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser5 " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser6 " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser7 " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser8 " ) )
2010-01-08 10:00:35 +11:00
# DOMAIN
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " test_domain_group1 " ) )
self . delete_force ( self . ldb_admin , " CN=test_domain_user1,OU=test_domain_ou1, " + self . base_dn )
self . delete_force ( self . ldb_admin , " OU=test_domain_ou2,OU=test_domain_ou1, " + self . base_dn )
self . delete_force ( self . ldb_admin , " OU=test_domain_ou1, " + self . base_dn )
# SCHEMA
# CONFIGURATION
self . delete_force ( self . ldb_admin , " CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers, " \
+ self . configuration_dn )
self . delete_force ( self . ldb_admin , " CN=test-container1,CN=DisplaySpecifiers, " + self . configuration_dn )
2009-09-15 17:34:42 -07:00
def setUp ( self ) :
2010-06-19 18:58:18 +02:00
super ( OwnerGroupDescriptorTests , self ) . setUp ( )
2010-01-08 10:00:35 +11:00
self . deleteAll ( )
2009-09-15 17:34:42 -07:00
### Create users
# User 1
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser1 " )
self . add_user_to_group ( self . ldb_admin , " testuser1 " , " Enterprise Admins " )
2009-09-15 17:34:42 -07:00
# User 2
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser2 " )
self . add_user_to_group ( self . ldb_admin , " testuser2 " , " Domain Admins " )
2009-09-15 17:34:42 -07:00
# User 3
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser3 " )
self . add_user_to_group ( self . ldb_admin , " testuser3 " , " Schema Admins " )
2009-09-15 17:34:42 -07:00
# User 4
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser4 " )
2009-09-15 17:34:42 -07:00
# User 5
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser5 " )
self . add_user_to_group ( self . ldb_admin , " testuser5 " , " Enterprise Admins " )
self . add_user_to_group ( self . ldb_admin , " testuser5 " , " Domain Admins " )
2009-09-15 17:34:42 -07:00
# User 6
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser6 " )
self . add_user_to_group ( self . ldb_admin , " testuser6 " , " Enterprise Admins " )
self . add_user_to_group ( self . ldb_admin , " testuser6 " , " Domain Admins " )
self . add_user_to_group ( self . ldb_admin , " testuser6 " , " Schema Admins " )
2009-09-15 17:34:42 -07:00
# User 7
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser7 " )
self . add_user_to_group ( self . ldb_admin , " testuser7 " , " Domain Admins " )
self . add_user_to_group ( self . ldb_admin , " testuser7 " , " Schema Admins " )
2009-09-15 17:34:42 -07:00
# User 8
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser8 " )
self . add_user_to_group ( self . ldb_admin , " testuser8 " , " Enterprise Admins " )
self . add_user_to_group ( self . ldb_admin , " testuser8 " , " Schema Admins " )
2009-09-15 17:34:42 -07:00
self . results = {
2009-09-20 23:16:04 +02:00
# msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
2009-09-15 17:34:42 -07:00
" ds_behavior_win2003 " : {
" 100 " : " O:EAG:DU " ,
" 101 " : " O:DAG:DU " ,
" 102 " : " O: %s G:DU " ,
" 103 " : " O: %s G:DU " ,
" 104 " : " O:DAG:DU " ,
" 105 " : " O:DAG:DU " ,
" 106 " : " O:DAG:DU " ,
" 107 " : " O:EAG:DU " ,
" 108 " : " O:DAG:DA " ,
" 109 " : " O:DAG:DA " ,
" 110 " : " O: %s G:DA " ,
" 111 " : " O: %s G:DA " ,
" 112 " : " O:DAG:DA " ,
" 113 " : " O:DAG:DA " ,
" 114 " : " O:DAG:DA " ,
" 115 " : " O:DAG:DA " ,
" 130 " : " O:EAG:DU " ,
" 131 " : " O:DAG:DU " ,
" 132 " : " O:SAG:DU " ,
" 133 " : " O: %s G:DU " ,
" 134 " : " O:EAG:DU " ,
" 135 " : " O:SAG:DU " ,
" 136 " : " O:SAG:DU " ,
" 137 " : " O:SAG:DU " ,
" 138 " : " O:DAG:DA " ,
" 139 " : " O:DAG:DA " ,
" 140 " : " O: %s G:DA " ,
" 141 " : " O: %s G:DA " ,
" 142 " : " O:DAG:DA " ,
" 143 " : " O:DAG:DA " ,
" 144 " : " O:DAG:DA " ,
" 145 " : " O:DAG:DA " ,
" 160 " : " O:EAG:DU " ,
" 161 " : " O:DAG:DU " ,
" 162 " : " O: %s G:DU " ,
" 163 " : " O: %s G:DU " ,
" 164 " : " O:EAG:DU " ,
" 165 " : " O:EAG:DU " ,
" 166 " : " O:DAG:DU " ,
" 167 " : " O:EAG:DU " ,
" 168 " : " O:DAG:DA " ,
" 169 " : " O:DAG:DA " ,
" 170 " : " O: %s G:DA " ,
" 171 " : " O: %s G:DA " ,
" 172 " : " O:DAG:DA " ,
" 173 " : " O:DAG:DA " ,
" 174 " : " O:DAG:DA " ,
" 175 " : " O:DAG:DA " ,
} ,
2009-11-15 19:26:02 +02:00
# msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
2009-09-15 17:34:42 -07:00
" ds_behavior_win2008 " : {
" 100 " : " O:EAG:EA " ,
" 101 " : " O:DAG:DA " ,
" 102 " : " O: %s G:DU " ,
" 103 " : " O: %s G:DU " ,
" 104 " : " O:DAG:DA " ,
" 105 " : " O:DAG:DA " ,
" 106 " : " O:DAG:DA " ,
" 107 " : " O:EAG:EA " ,
" 108 " : " O:DAG:DA " ,
" 109 " : " O:DAG:DA " ,
" 110 " : " O: %s G:DA " ,
" 111 " : " O: %s G:DA " ,
" 112 " : " O:DAG:DA " ,
" 113 " : " O:DAG:DA " ,
" 114 " : " O:DAG:DA " ,
" 115 " : " O:DAG:DA " ,
2009-11-15 19:26:02 +02:00
" 130 " : " O:EAG:EA " ,
" 131 " : " O:DAG:DA " ,
" 132 " : " O:SAG:SA " ,
" 133 " : " O: %s G:DU " ,
" 134 " : " O:EAG:EA " ,
" 135 " : " O:SAG:SA " ,
" 136 " : " O:SAG:SA " ,
" 137 " : " O:SAG:SA " ,
2009-09-15 17:34:42 -07:00
" 138 " : " " ,
" 139 " : " " ,
2009-11-15 19:26:02 +02:00
" 140 " : " O: %s G:DA " ,
" 141 " : " O: %s G:DA " ,
2009-09-15 17:34:42 -07:00
" 142 " : " " ,
" 143 " : " " ,
" 144 " : " " ,
" 145 " : " " ,
" 160 " : " O:EAG:EA " ,
" 161 " : " O:DAG:DA " ,
" 162 " : " O: %s G:DU " ,
" 163 " : " O: %s G:DU " ,
" 164 " : " O:EAG:EA " ,
" 165 " : " O:EAG:EA " ,
" 166 " : " O:DAG:DA " ,
" 167 " : " O:EAG:EA " ,
" 168 " : " O:DAG:DA " ,
" 169 " : " O:DAG:DA " ,
" 170 " : " O: %s G:DA " ,
" 171 " : " O: %s G:DA " ,
" 172 " : " O:DAG:DA " ,
" 173 " : " O:DAG:DA " ,
" 174 " : " O:DAG:DA " ,
" 175 " : " O:DAG:DA " ,
} ,
}
# Discover 'msDS-Behavior-Version'
res = self . ldb_admin . search ( base = self . base_dn , expression = " distinguishedName= %s " % self . base_dn , \
attrs = [ ' msDS-Behavior-Version ' ] )
res = int ( res [ 0 ] [ ' msDS-Behavior-Version ' ] [ 0 ] )
2009-09-20 23:16:04 +02:00
if res < DS_DOMAIN_FUNCTION_2008 :
2009-09-15 17:34:42 -07:00
self . DS_BEHAVIOR = " ds_behavior_win2003 "
else :
self . DS_BEHAVIOR = " ds_behavior_win2008 "
def tearDown ( self ) :
2010-06-19 18:58:18 +02:00
super ( DescriptorTests , self ) . tearDown ( )
2010-01-08 10:00:35 +11:00
self . deleteAll ( )
2009-09-15 17:34:42 -07:00
def check_user_belongs ( self , user_dn , groups = [ ] ) :
""" Test wether user is member of the expected group(s) """
if groups != [ ] :
# User is member of at least one additional group
res = self . ldb_admin . search ( user_dn , attrs = [ " memberOf " ] )
res = [ x . upper ( ) for x in sorted ( list ( res [ 0 ] [ " memberOf " ] ) ) ]
expected = [ ]
for x in groups :
expected . append ( self . get_users_domain_dn ( x ) )
expected = [ x . upper ( ) for x in sorted ( expected ) ]
self . assertEqual ( expected , res )
else :
# User is not a member of any additional groups but default
res = self . ldb_admin . search ( user_dn , attrs = [ " * " ] )
res = [ x . upper ( ) for x in res [ 0 ] . keys ( ) ]
self . assertFalse ( " MEMBEROF " in res )
2009-11-15 19:26:02 +02:00
def check_modify_inheritance ( self , _ldb , object_dn , owner_group = " " ) :
# Modify
ace = " (D;;CC;;;LG) " # Deny Create Children to Guest account
if owner_group != " " :
self . modify_desc ( _ldb , object_dn , owner_group + " D: " + ace )
else :
self . modify_desc ( _ldb , object_dn , " D: " + ace )
# Make sure the modify operation has been applied
desc_sddl = self . get_desc_sddl ( object_dn )
self . assertTrue ( ace in desc_sddl )
# Make sure we have identical result for both "add" and "modify"
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
print self . _testMethodName
test_number = self . _testMethodName [ 5 : ]
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ test_number ] , res )
2009-09-15 17:34:42 -07:00
def test_100 ( self ) :
""" Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = " testuser1 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " ] )
# Open Ldb connection with the tested user
2009-11-15 19:26:02 +02:00
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_group ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_101 ( self ) :
2009-11-10 15:58:52 +02:00
""" Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
2009-09-15 17:34:42 -07:00
"""
user_name = " testuser2 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_group ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_102 ( self ) :
""" Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = " testuser3 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WPWDCC;;; %s ) " % str ( user_sid )
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( object_dn , mod )
# Create additional object into the first one
object_dn = " CN=test_domain_user1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_user ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
# This fails, research why
#self.check_modify_inheritance(_ldb, object_dn)
2009-09-15 17:34:42 -07:00
def test_103 ( self ) :
""" Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = " testuser4 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WPWDCC;;; %s ) " % str ( user_sid )
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( object_dn , mod )
# Create additional object into the first one
object_dn = " CN=test_domain_user1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_user ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
#this fails, research why
#self.check_modify_inheritance(_ldb, object_dn)
2009-09-15 17:34:42 -07:00
def test_104 ( self ) :
""" Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = " testuser5 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_group ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_105 ( self ) :
""" Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = " testuser6 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_group ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_106 ( self ) :
""" Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = " testuser7 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_group ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_107 ( self ) :
""" Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = " testuser8 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_group ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
# Control descriptor tests #####################################################################
def test_108 ( self ) :
""" Enterprise admin group member creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser1 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
2009-09-15 17:34:42 -07:00
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
2009-11-15 19:26:02 +02:00
self . create_domain_group ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
2009-09-15 17:34:42 -07:00
def test_109 ( self ) :
""" Domain admin group member creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser2 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
2009-09-15 17:34:42 -07:00
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
2009-11-15 19:26:02 +02:00
self . create_domain_group ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
2009-09-15 17:34:42 -07:00
def test_110 ( self ) :
""" Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser3 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WOWDCC;;; %s ) " % str ( user_sid )
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( object_dn , mod )
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc_sddl = " O: %s G:DAD:(A;;RP;;;DU) " % str ( user_sid )
# Create additional object into the first one
object_dn = " CN=test_domain_user1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_user ( _ldb , object_dn , desc_sddl )
desc = self . read_desc ( object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
2009-09-15 17:34:42 -07:00
def test_111 ( self ) :
""" Regular user with CC right creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser4 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WOWDCC;;; %s ) " % str ( user_sid )
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( object_dn , mod )
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc_sddl = " O: %s G:DAD:(A;;RP;;;DU) " % str ( user_sid )
# Create additional object into the first one
object_dn = " CN=test_domain_user1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_user ( _ldb , object_dn , desc_sddl )
desc = self . read_desc ( object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
2009-09-15 17:34:42 -07:00
def test_112 ( self ) :
""" Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser5 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
2009-09-15 17:34:42 -07:00
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
2009-11-15 19:26:02 +02:00
self . create_domain_group ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
2009-09-15 17:34:42 -07:00
def test_113 ( self ) :
""" Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser6 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
2009-09-15 17:34:42 -07:00
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
2009-11-15 19:26:02 +02:00
self . create_domain_group ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
2009-09-15 17:34:42 -07:00
def test_114 ( self ) :
""" Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser7 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
2009-09-15 17:34:42 -07:00
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
2009-11-15 19:26:02 +02:00
self . create_domain_group ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
2009-09-15 17:34:42 -07:00
def test_115 ( self ) :
""" Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
"""
user_name = " testuser8 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
2009-11-15 19:26:02 +02:00
object_dn = " CN=test_domain_group1,CN=Users, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
2009-09-15 17:34:42 -07:00
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
2009-11-15 19:26:02 +02:00
self . create_domain_group ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-09-15 17:34:42 -07:00
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
2009-09-15 17:34:42 -07:00
def test_999 ( self ) :
user_name = " Administrator "
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
mod = " (D;CI;WP;;;S-1-3-0) "
#mod = ""
self . dacl_add_ace ( object_dn , mod )
desc_sddl = self . get_desc_sddl ( object_dn )
# Create additional object into the first one
object_dn = " OU=test_domain_ou2, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
## Tests for SCHEMA
# Defalt descriptor tests ##################################################################
def test_130 ( self ) :
user_name = " testuser1 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , class_dn )
2009-09-15 17:34:42 -07:00
def test_131 ( self ) :
user_name = " testuser2 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , class_dn )
2009-09-15 17:34:42 -07:00
def test_132 ( self ) :
user_name = " testuser3 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
#self.check_modify_inheritance(_ldb, class_dn)
2009-09-15 17:34:42 -07:00
def test_133 ( self ) :
user_name = " testuser4 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
#Change Schema partition descriptor
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
#self.check_modify_inheritance(_ldb, class_dn)
2009-09-15 17:34:42 -07:00
def test_134 ( self ) :
user_name = " testuser5 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
#Change Schema partition descriptor
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , class_dn )
2009-09-15 17:34:42 -07:00
def test_135 ( self ) :
user_name = " testuser6 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , class_dn )
2009-09-15 17:34:42 -07:00
def test_136 ( self ) :
user_name = " testuser7 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , class_dn )
2009-09-15 17:34:42 -07:00
def test_137 ( self ) :
user_name = " testuser8 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( self . schema_dn , mod )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , class_dn )
2009-09-15 17:34:42 -07:00
# Custom descriptor tests ##################################################################
def test_138 ( self ) :
user_name = " testuser1 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( self . schema_dn , mod )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_139 ( self ) :
user_name = " testuser2 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( self . schema_dn , mod )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_140 ( self ) :
user_name = " testuser3 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
desc_sddl = " O: %s G:DAD:(A;;RP;;;DU) " % str ( user_sid )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
2009-09-15 17:34:42 -07:00
def test_141 ( self ) :
user_name = " testuser4 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
desc_sddl = " O: %s G:DAD:(A;;RP;;;DU) " % str ( user_sid )
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
2009-09-15 17:34:42 -07:00
def test_142 ( self ) :
user_name = " testuser5 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( self . schema_dn , mod )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_143 ( self ) :
user_name = " testuser6 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( self . schema_dn , mod )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_144 ( self ) :
user_name = " testuser7 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( self . schema_dn , mod )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_145 ( self ) :
user_name = " testuser8 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Change Schema partition descriptor
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( self . schema_dn , mod )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
# Create example Schema class
class_name = self . get_unique_schema_class_name ( )
class_dn = " CN= %s , %s " % ( class_name , self . schema_dn )
self . create_schema_class ( _ldb , class_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( class_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
## Tests for CONFIGURATION
# Defalt descriptor tests ##################################################################
def test_160 ( self ) :
user_name = " testuser1 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( _ldb , object_dn , )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_161 ( self ) :
user_name = " testuser2 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( _ldb , object_dn , )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_162 ( self ) :
user_name = " testuser3 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
object_dn = " CN=test-container1,CN=DisplaySpecifiers, " + self . configuration_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( self . ldb_admin , object_dn , )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( object_dn , mod )
# Create child object with user's credentials
object_dn = " CN=test-specifier1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_specifier ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
#self.check_modify_inheritance(_ldb, object_dn)
2009-09-15 17:34:42 -07:00
def test_163 ( self ) :
user_name = " testuser4 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
object_dn = " CN=test-container1,CN=DisplaySpecifiers, " + self . configuration_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( self . ldb_admin , object_dn , )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
2009-11-15 19:26:02 +02:00
mod = " (A;CI;WDCC;;;AU) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( object_dn , mod )
# Create child object with user's credentials
object_dn = " CN=test-specifier1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_specifier ( _ldb , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
#self.check_modify_inheritance(_ldb, object_dn)
2009-09-15 17:34:42 -07:00
def test_164 ( self ) :
user_name = " testuser5 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( _ldb , object_dn , )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_165 ( self ) :
user_name = " testuser6 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( _ldb , object_dn , )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_166 ( self ) :
user_name = " testuser7 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( _ldb , object_dn , )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
def test_167 ( self ) :
user_name = " testuser8 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( _ldb , object_dn , )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] , res )
self . check_modify_inheritance ( _ldb , object_dn )
2009-09-15 17:34:42 -07:00
# Custom descriptor tests ##################################################################
def test_168 ( self ) :
user_name = " testuser1 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
self . create_configuration_container ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_169 ( self ) :
user_name = " testuser2 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
self . create_configuration_container ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_170 ( self ) :
user_name = " testuser3 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
object_dn = " CN=test-container1,CN=DisplaySpecifiers, " + self . configuration_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( self . ldb_admin , object_dn , )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( object_dn , mod )
# Create child object with user's credentials
object_dn = " CN=test-specifier1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc_sddl = " O: %s G:DAD:(A;;RP;;;DU) " % str ( user_sid )
self . create_configuration_specifier ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
2009-09-15 17:34:42 -07:00
def test_171 ( self ) :
user_name = " testuser4 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
object_dn = " CN=test-container1,CN=DisplaySpecifiers, " + self . configuration_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_configuration_container ( self . ldb_admin , object_dn , )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( user_name ) )
mod = " (A;;CC;;;AU) "
self . dacl_add_ace ( object_dn , mod )
# Create child object with user's credentials
object_dn = " CN=test-specifier1, " + object_dn
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc_sddl = " O: %s G:DAD:(A;;RP;;;DU) " % str ( user_sid )
self . create_configuration_specifier ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
2009-11-15 19:26:02 +02:00
self . assertEqual ( self . results [ self . DS_BEHAVIOR ] [ self . _testMethodName [ 5 : ] ] % str ( user_sid ) , res )
2009-09-15 17:34:42 -07:00
def test_172 ( self ) :
user_name = " testuser5 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
self . create_configuration_container ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_173 ( self ) :
user_name = " testuser6 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
self . create_configuration_container ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_174 ( self ) :
user_name = " testuser7 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Domain Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
self . create_configuration_container ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
def test_175 ( self ) :
user_name = " testuser8 "
self . check_user_belongs ( self . get_users_domain_dn ( user_name ) , [ " Enterprise Admins " , " Schema Admins " ] )
# Open Ldb connection with the tested user
_ldb = self . get_ldb_connection ( user_name , " samba123@ " )
# Create example Configuration container
container_name = " test-container1 "
object_dn = " CN= %s ,CN=DisplaySpecifiers, %s " % ( container_name , self . configuration_dn )
self . delete_force ( self . ldb_admin , object_dn )
# Create a custom security descriptor
desc_sddl = " O:DAG:DAD:(A;;RP;;;DU) "
self . create_configuration_container ( _ldb , object_dn , desc_sddl )
desc_sddl = self . get_desc_sddl ( object_dn )
res = re . search ( " (O:.*G:.*?)D: " , desc_sddl ) . group ( 1 )
self . assertEqual ( " O:DAG:DA " , res )
########################################################################################
# Inharitance tests for DACL
class DaclDescriptorTests ( DescriptorTests ) :
2010-01-08 10:00:35 +11:00
def deleteAll ( self ) :
self . delete_force ( self . ldb_admin , " CN=test_inherit_group,OU=test_inherit_ou, " + self . base_dn )
self . delete_force ( self . ldb_admin , " OU=test_inherit_ou, " + self . base_dn )
2009-09-15 17:34:42 -07:00
def setUp ( self ) :
2010-06-19 18:58:18 +02:00
super ( DaclDescriptorTests , self ) . setUp ( )
2010-01-08 10:00:35 +11:00
self . deleteAll ( )
2009-09-15 17:34:42 -07:00
def create_clean_ou ( self , object_dn ) :
""" Base repeating setup for unittests to follow """
res = self . ldb_admin . search ( base = self . base_dn , scope = SCOPE_SUBTREE , \
expression = " distinguishedName= %s " % object_dn )
# Make sure top testing OU has been deleted before starting the test
self . assertEqual ( res , [ ] )
self . create_domain_ou ( self . ldb_admin , object_dn )
desc_sddl = self . get_desc_sddl ( object_dn )
2009-11-15 19:26:02 +02:00
# Make sure there are inheritable ACEs initially
2009-09-15 17:34:42 -07:00
self . assertTrue ( " CI " in desc_sddl or " OI " in desc_sddl )
# Find and remove all inherit ACEs
res = re . findall ( " \ (.*? \ ) " , desc_sddl )
res = [ x for x in res if ( " CI " in x ) or ( " OI " in x ) ]
for x in res :
desc_sddl = desc_sddl . replace ( x , " " )
# Add flag 'protected' in both DACL and SACL so no inherit ACEs
# can propagate from above
2009-11-10 15:58:52 +02:00
# remove SACL, we are not interested
2009-09-15 17:34:42 -07:00
desc_sddl = desc_sddl . replace ( " :AI " , " :AIP " )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , object_dn , desc_sddl )
2009-09-15 17:34:42 -07:00
# Verify all inheritable ACEs are gone
desc_sddl = self . get_desc_sddl ( object_dn )
self . assertFalse ( " CI " in desc_sddl )
self . assertFalse ( " OI " in desc_sddl )
def test_200 ( self ) :
""" OU with protected flag and child group. See if the group has inherit ACEs.
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn )
# Make sure created group object contains NO inherit ACEs
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertFalse ( " ID " in desc_sddl )
def test_201 ( self ) :
""" OU with protected flag and no inherit ACEs, child group with custom descriptor.
Verify group has custom and default ACEs only .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Create group child object using custom security descriptor
sddl = " O:AUG:AUD:AI(D;;WP;;;DU) "
self . create_domain_group ( self . ldb_admin , group_dn , sddl )
# Make sure created group descriptor has NO additional ACEs
desc_sddl = self . get_desc_sddl ( group_dn )
2009-11-15 19:26:02 +02:00
self . assertEqual ( desc_sddl , sddl )
sddl = " O:AUG:AUD:AI(D;;CC;;;LG) "
self . modify_desc ( self . ldb_admin , group_dn , sddl )
desc_sddl = self . get_desc_sddl ( group_dn )
2009-09-15 17:34:42 -07:00
self . assertEqual ( desc_sddl , sddl )
def test_202 ( self ) :
""" OU with protected flag and add couple non-inheritable ACEs, child group.
See if the group has any of the added ACEs .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom non-inheritable ACEs
mod = " (D;;WP;;;DU)(A;;RP;;;DU) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
# Verify all inheritable ACEs are gone
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn )
# Make sure created group object contains NO inherit ACEs
2009-11-15 19:26:02 +02:00
# also make sure the added above non-inheritable ACEs are absent too
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertFalse ( " ID " in desc_sddl )
for x in re . findall ( " \ (.*? \ ) " , mod ) :
self . assertFalse ( x in desc_sddl )
self . modify_desc ( self . ldb_admin , group_dn , " D: " + moded )
2009-09-15 17:34:42 -07:00
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertFalse ( " ID " in desc_sddl )
for x in re . findall ( " \ (.*? \ ) " , mod ) :
self . assertFalse ( x in desc_sddl )
def test_203 ( self ) :
""" OU with protected flag and add ' CI ' ACE, child group.
See if the group has the added inherited ACE .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'CI' ACE
mod = " (D;CI;WP;;;DU) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn , " O:AUG:AUD:AI(A;;CC;;;AU) " )
# Make sure created group object contains only the above inherited ACE
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
mod = mod . replace ( " ;CI; " , " ;CIID; " )
self . assertTrue ( mod in desc_sddl )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , group_dn , " D: " + moded )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( moded in desc_sddl )
self . assertTrue ( mod in desc_sddl )
2009-09-15 17:34:42 -07:00
def test_204 ( self ) :
""" OU with protected flag and add ' OI ' ACE, child group.
See if the group has the added inherited ACE .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'CI' ACE
mod = " (D;OI;WP;;;DU) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn , " O:AUG:AUD:AI(A;;CC;;;AU) " )
# Make sure created group object contains only the above inherited ACE
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
mod = mod . replace ( " ;OI; " , " ;OIIOID; " ) # change it how it's gonna look like
self . assertTrue ( mod in desc_sddl )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , group_dn , " D: " + moded )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( moded in desc_sddl )
self . assertTrue ( mod in desc_sddl )
2009-09-15 17:34:42 -07:00
def test_205 ( self ) :
""" OU with protected flag and add ' OA ' for GUID & ' CI ' ACE, child group.
See if the group has the added inherited ACE .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'OA' for 'name' attribute & 'CI' ACE
mod = " (OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn , " O:AUG:AUD:AI(A;;CC;;;AU) " )
# Make sure created group object contains only the above inherited ACE
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
mod = mod . replace ( " ;CI; " , " ;CIID; " ) # change it how it's gonna look like
self . assertTrue ( mod in desc_sddl )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , group_dn , " D: " + moded )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( moded in desc_sddl )
self . assertTrue ( mod in desc_sddl )
2009-09-15 17:34:42 -07:00
def test_206 ( self ) :
""" OU with protected flag and add ' OA ' for GUID & ' OI ' ACE, child group.
See if the group has the added inherited ACE .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'OA' for 'name' attribute & 'OI' ACE
mod = " (OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn , " O:AUG:AUD:AI(A;;CC;;;AU) " )
# Make sure created group object contains only the above inherited ACE
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
mod = mod . replace ( " ;OI; " , " ;OIIOID; " ) # change it how it's gonna look like
self . assertTrue ( mod in desc_sddl )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , group_dn , " D: " + moded )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( moded in desc_sddl )
self . assertTrue ( mod in desc_sddl )
2009-09-15 17:34:42 -07:00
def test_207 ( self ) :
""" OU with protected flag and add ' OA ' for OU specific GUID & ' CI ' ACE, child group.
See if the group has the added inherited ACE .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
mod = " (OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn , " O:AUG:AUD:AI(A;;CC;;;AU) " )
# Make sure created group object contains only the above inherited ACE
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
mod = mod . replace ( " ;CI; " , " ;CIID; " ) # change it how it's gonna look like
self . assertTrue ( mod in desc_sddl )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , group_dn , " D: " + moded )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( moded in desc_sddl )
self . assertTrue ( mod in desc_sddl )
2009-09-15 17:34:42 -07:00
def test_208 ( self ) :
""" OU with protected flag and add ' OA ' for OU specific GUID & ' OI ' ACE, child group.
See if the group has the added inherited ACE .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
mod = " (OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn , " O:AUG:AUD:AI(A;;CC;;;AU) " )
# Make sure created group object contains only the above inherited ACE
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
mod = mod . replace ( " ;OI; " , " ;OIIOID; " ) # change it how it's gonna look like
self . assertTrue ( mod in desc_sddl )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , group_dn , " D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU) " + moded )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( moded in desc_sddl )
self . assertTrue ( mod in desc_sddl )
2009-09-15 17:34:42 -07:00
def test_209 ( self ) :
""" OU with protected flag and add ' CI ' ACE with ' CO ' SID, child group.
See if the group has the added inherited ACE .
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'CI' ACE
mod = " (D;CI;WP;;;CO) "
2009-11-15 19:26:02 +02:00
moded = " (D;;CC;;;LG) "
2009-09-15 17:34:42 -07:00
self . dacl_add_ace ( ou_dn , mod )
desc_sddl = self . get_desc_sddl ( ou_dn )
# Create group child object
self . create_domain_group ( self . ldb_admin , group_dn , " O:AUG:AUD:AI(A;;CC;;;AU) " )
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( " (D;ID;WP;;;AU) " in desc_sddl )
self . assertTrue ( " (D;CIIOID;WP;;;CO) " in desc_sddl )
2009-11-15 19:26:02 +02:00
self . modify_desc ( self . ldb_admin , group_dn , " D: " + moded )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( moded in desc_sddl )
self . assertTrue ( " (D;ID;WP;;;DA) " in desc_sddl )
self . assertTrue ( " (D;CIIOID;WP;;;CO) " in desc_sddl )
2009-09-15 17:34:42 -07:00
2010-04-15 18:21:55 +03:00
def test_210 ( self ) :
""" OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
self . create_clean_ou ( ou_dn )
# Add some custom ACE
mod = " D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU) "
self . create_domain_group ( self . ldb_admin , group_dn , mod )
# Make sure created group object does not contain the ID ace
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertFalse ( " (A;ID;WP;;;AU) " in desc_sddl )
2010-04-17 18:16:25 +03:00
def test_211 ( self ) :
""" Provide ACE with CO SID, should be expanded and replaced
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'CI' ACE
mod = " D:(D;CI;WP;;;CO) "
self . create_domain_group ( self . ldb_admin , group_dn , mod )
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( " (D;;WP;;;DA)(D;CIIO;WP;;;CO) " in desc_sddl )
2010-04-20 00:23:42 +03:00
def test_212 ( self ) :
""" Provide ACE with IO flag, should be ignored
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
# Add some custom 'CI' ACE
mod = " D:(D;CIIO;WP;;;CO) "
self . create_domain_group ( self . ldb_admin , group_dn , mod )
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertTrue ( " (D;CIIO;WP;;;CO) " in desc_sddl )
self . assertFalse ( " (D;;WP;;;DA) " in desc_sddl )
self . assertFalse ( " (D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO) " in desc_sddl )
def test_213 ( self ) :
""" Provide ACE with IO flag, should be ignored
"""
ou_dn = " OU=test_inherit_ou, " + self . base_dn
group_dn = " CN=test_inherit_group, " + ou_dn
# Create inheritable-free OU
self . create_clean_ou ( ou_dn )
mod = " D:(D;IO;WP;;;DA) "
self . create_domain_group ( self . ldb_admin , group_dn , mod )
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
desc_sddl = self . get_desc_sddl ( group_dn )
self . assertFalse ( " (D;IO;WP;;;DA) " in desc_sddl )
2009-09-15 17:34:42 -07:00
########################################################################################
2009-11-20 13:25:13 +02:00
class SdFlagsDescriptorTests ( DescriptorTests ) :
2010-01-08 10:00:35 +11:00
def deleteAll ( self ) :
self . delete_force ( self . ldb_admin , " OU=test_sdflags_ou, " + self . base_dn )
2009-11-20 13:25:13 +02:00
def setUp ( self ) :
2010-06-19 18:58:18 +02:00
super ( SdFlagsDescriptorTests , self ) . setUp ( )
2009-11-20 13:25:13 +02:00
self . test_descr = " O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU) "
2010-01-08 10:00:35 +11:00
self . deleteAll ( )
2009-11-20 13:25:13 +02:00
def test_301 ( self ) :
""" Modify a descriptor with OWNER_SECURITY_INFORMATION set.
See that only the owner has been changed .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
self . modify_desc ( self . ldb_admin , ou_dn , self . test_descr , controls = [ " sd_flags:1: %d " % ( SECINFO_OWNER ) ] )
desc_sddl = self . get_desc_sddl ( ou_dn )
# make sure we have modified the owner
self . assertTrue ( " O:AU " in desc_sddl )
# make sure nothing else has been modified
self . assertFalse ( " G:AU " in desc_sddl )
self . assertFalse ( " D:(D;;CC;;;LG) " in desc_sddl )
self . assertFalse ( " (OU;;WP;;;AU) " in desc_sddl )
def test_302 ( self ) :
""" Modify a descriptor with GROUP_SECURITY_INFORMATION set.
See that only the owner has been changed .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
self . modify_desc ( self . ldb_admin , ou_dn , self . test_descr , controls = [ " sd_flags:1: %d " % ( SECINFO_GROUP ) ] )
desc_sddl = self . get_desc_sddl ( ou_dn )
# make sure we have modified the group
self . assertTrue ( " G:AU " in desc_sddl )
# make sure nothing else has been modified
self . assertFalse ( " O:AU " in desc_sddl )
self . assertFalse ( " D:(D;;CC;;;LG) " in desc_sddl )
self . assertFalse ( " (OU;;WP;;;AU) " in desc_sddl )
def test_303 ( self ) :
""" Modify a descriptor with SACL_SECURITY_INFORMATION set.
See that only the owner has been changed .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
self . modify_desc ( self . ldb_admin , ou_dn , self . test_descr , controls = [ " sd_flags:1: %d " % ( SECINFO_DACL ) ] )
desc_sddl = self . get_desc_sddl ( ou_dn )
# make sure we have modified the DACL
self . assertTrue ( " (D;;CC;;;LG) " in desc_sddl )
# make sure nothing else has been modified
self . assertFalse ( " O:AU " in desc_sddl )
self . assertFalse ( " G:AU " in desc_sddl )
self . assertFalse ( " (OU;;WP;;;AU) " in desc_sddl )
def test_304 ( self ) :
""" Modify a descriptor with SACL_SECURITY_INFORMATION set.
See that only the owner has been changed .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
self . modify_desc ( self . ldb_admin , ou_dn , self . test_descr , controls = [ " sd_flags:1: %d " % ( SECINFO_SACL ) ] )
desc_sddl = self . get_desc_sddl ( ou_dn )
# make sure we have modified the DACL
self . assertTrue ( " (OU;;WP;;;AU) " in desc_sddl )
# make sure nothing else has been modified
self . assertFalse ( " O:AU " in desc_sddl )
self . assertFalse ( " G:AU " in desc_sddl )
self . assertFalse ( " (D;;CC;;;LG) " in desc_sddl )
def test_305 ( self ) :
""" Modify a descriptor with 0x0 set.
Contrary to logic this is interpreted as no control ,
which is the same as 0xF
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
self . modify_desc ( self . ldb_admin , ou_dn , self . test_descr , controls = [ " sd_flags:1:0 " ] )
desc_sddl = self . get_desc_sddl ( ou_dn )
# make sure we have modified the DACL
self . assertTrue ( " (OU;;WP;;;AU) " in desc_sddl )
# make sure nothing else has been modified
self . assertTrue ( " O:AU " in desc_sddl )
self . assertTrue ( " G:AU " in desc_sddl )
self . assertTrue ( " (D;;CC;;;LG) " in desc_sddl )
def test_306 ( self ) :
""" Modify a descriptor with 0xF set.
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
self . modify_desc ( self . ldb_admin , ou_dn , self . test_descr , controls = [ " sd_flags:1:15 " ] )
desc_sddl = self . get_desc_sddl ( ou_dn )
# make sure we have modified the DACL
self . assertTrue ( " (OU;;WP;;;AU) " in desc_sddl )
# make sure nothing else has been modified
self . assertTrue ( " O:AU " in desc_sddl )
self . assertTrue ( " G:AU " in desc_sddl )
self . assertTrue ( " (D;;CC;;;LG) " in desc_sddl )
2009-11-21 18:40:51 +02:00
def test_307 ( self ) :
""" Read a descriptor with OWNER_SECURITY_INFORMATION
Only the owner part should be returned .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
desc_sddl = self . get_desc_sddl ( ou_dn , controls = [ " sd_flags:1: %d " % ( SECINFO_OWNER ) ] )
# make sure we have read the owner
self . assertTrue ( " O: " in desc_sddl )
# make sure we have read nothing else
self . assertFalse ( " G: " in desc_sddl )
self . assertFalse ( " D: " in desc_sddl )
self . assertFalse ( " S: " in desc_sddl )
def test_308 ( self ) :
""" Read a descriptor with GROUP_SECURITY_INFORMATION
Only the group part should be returned .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
desc_sddl = self . get_desc_sddl ( ou_dn , controls = [ " sd_flags:1: %d " % ( SECINFO_GROUP ) ] )
# make sure we have read the owner
self . assertTrue ( " G: " in desc_sddl )
# make sure we have read nothing else
self . assertFalse ( " O: " in desc_sddl )
self . assertFalse ( " D: " in desc_sddl )
self . assertFalse ( " S: " in desc_sddl )
def test_309 ( self ) :
""" Read a descriptor with SACL_SECURITY_INFORMATION
Only the sacl part should be returned .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
desc_sddl = self . get_desc_sddl ( ou_dn , controls = [ " sd_flags:1: %d " % ( SECINFO_SACL ) ] )
# make sure we have read the owner
self . assertTrue ( " S: " in desc_sddl )
# make sure we have read nothing else
self . assertFalse ( " O: " in desc_sddl )
self . assertFalse ( " D: " in desc_sddl )
self . assertFalse ( " G: " in desc_sddl )
def test_310 ( self ) :
""" Read a descriptor with DACL_SECURITY_INFORMATION
Only the dacl part should be returned .
"""
ou_dn = " OU=test_sdflags_ou, " + self . base_dn
self . create_domain_ou ( self . ldb_admin , ou_dn )
desc_sddl = self . get_desc_sddl ( ou_dn , controls = [ " sd_flags:1: %d " % ( SECINFO_DACL ) ] )
# make sure we have read the owner
self . assertTrue ( " D: " in desc_sddl )
# make sure we have read nothing else
self . assertFalse ( " O: " in desc_sddl )
self . assertFalse ( " S: " in desc_sddl )
self . assertFalse ( " G: " in desc_sddl )
2010-06-19 18:58:18 +02:00
2009-12-10 15:49:53 +02:00
class RightsAttributesTests ( DescriptorTests ) :
2010-01-08 10:00:35 +11:00
def deleteAll ( self ) :
2010-06-14 15:12:00 +03:00
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser_attr " ) )
self . delete_force ( self . ldb_admin , self . get_users_domain_dn ( " testuser_attr2 " ) )
2010-01-08 10:00:35 +11:00
self . delete_force ( self . ldb_admin , " OU=test_domain_ou1, " + self . base_dn )
2009-12-10 15:49:53 +02:00
def setUp ( self ) :
2010-06-19 18:58:18 +02:00
super ( RightsAttributesTests , self ) . setUp ( )
2010-01-08 10:00:35 +11:00
self . deleteAll ( )
2009-12-10 15:49:53 +02:00
### Create users
# User 1
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser_attr " )
2009-12-10 15:49:53 +02:00
# User 2, Domain Admins
2010-06-14 15:12:00 +03:00
self . create_enable_user ( " testuser_attr2 " )
self . add_user_to_group ( self . ldb_admin , " testuser_attr2 " , " Domain Admins " )
2009-12-10 15:49:53 +02:00
def test_sDRightsEffective ( self ) :
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
print self . get_users_domain_dn ( " testuser_attr " )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( " testuser_attr " ) )
#give testuser1 read access so attributes can be retrieved
mod = " (A;CI;RP;;; %s ) " % str ( user_sid )
self . dacl_add_ace ( object_dn , mod )
_ldb = self . get_ldb_connection ( " testuser_attr " , " samba123@ " )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " sDRightsEffective " ] )
#user whould have no rights at all
self . assertEquals ( len ( res ) , 1 )
self . assertEquals ( res [ 0 ] [ " sDRightsEffective " ] [ 0 ] , " 0 " )
#give the user Write DACL and see what happens
mod = " (A;CI;WD;;; %s ) " % str ( user_sid )
self . dacl_add_ace ( object_dn , mod )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " sDRightsEffective " ] )
#user whould have DACL_SECURITY_INFORMATION
self . assertEquals ( len ( res ) , 1 )
self . assertEquals ( res [ 0 ] [ " sDRightsEffective " ] [ 0 ] , ( " %d " ) % SECINFO_DACL )
#give the user Write Owners and see what happens
mod = " (A;CI;WO;;; %s ) " % str ( user_sid )
self . dacl_add_ace ( object_dn , mod )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " sDRightsEffective " ] )
#user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
self . assertEquals ( len ( res ) , 1 )
self . assertEquals ( res [ 0 ] [ " sDRightsEffective " ] [ 0 ] , ( " %d " ) % ( SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER ) )
#no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
_ldb = self . get_ldb_connection ( " testuser_attr2 " , " samba123@ " )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " sDRightsEffective " ] )
#user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
self . assertEquals ( len ( res ) , 1 )
self . assertEquals ( res [ 0 ] [ " sDRightsEffective " ] [ 0 ] , \
( " %d " ) % ( SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL ) )
def test_allowedChildClassesEffective ( self ) :
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( " testuser_attr " ) )
#give testuser1 read access so attributes can be retrieved
mod = " (A;CI;RP;;; %s ) " % str ( user_sid )
self . dacl_add_ace ( object_dn , mod )
_ldb = self . get_ldb_connection ( " testuser_attr " , " samba123@ " )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " allowedChildClassesEffective " ] )
#there should be no allowed child classes
self . assertEquals ( len ( res ) , 1 )
self . assertFalse ( " allowedChildClassesEffective " in res [ 0 ] . keys ( ) )
#give the user the right to create children of type user
mod = " (OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( user_sid )
self . dacl_add_ace ( object_dn , mod )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " allowedChildClassesEffective " ] )
# allowedChildClassesEffective should only have one value, user
self . assertEquals ( len ( res ) , 1 )
self . assertEquals ( len ( res [ 0 ] [ " allowedChildClassesEffective " ] ) , 1 )
self . assertEquals ( res [ 0 ] [ " allowedChildClassesEffective " ] [ 0 ] , " user " )
def test_allowedAttributesEffective ( self ) :
object_dn = " OU=test_domain_ou1, " + self . base_dn
self . delete_force ( self . ldb_admin , object_dn )
self . create_domain_ou ( self . ldb_admin , object_dn )
user_sid = self . get_object_sid ( self . get_users_domain_dn ( " testuser_attr " ) )
#give testuser1 read access so attributes can be retrieved
mod = " (A;CI;RP;;; %s ) " % str ( user_sid )
self . dacl_add_ace ( object_dn , mod )
_ldb = self . get_ldb_connection ( " testuser_attr " , " samba123@ " )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " allowedAttributesEffective " ] )
#there should be no allowed attributes
self . assertEquals ( len ( res ) , 1 )
self . assertFalse ( " allowedAttributesEffective " in res [ 0 ] . keys ( ) )
#give the user the right to write displayName and managedBy
mod2 = " (OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;; %s ) " % str ( user_sid )
mod = " (OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;; %s ) " % str ( user_sid )
# also rights to modify an read only attribute, fromEntry
mod3 = " (OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;; %s ) " % str ( user_sid )
self . dacl_add_ace ( object_dn , mod + mod2 + mod3 )
res = _ldb . search ( base = object_dn , expression = " " , scope = SCOPE_BASE ,
attrs = [ " allowedAttributesEffective " ] )
# value should only contain user and managedBy
self . assertEquals ( len ( res ) , 1 )
self . assertEquals ( len ( res [ 0 ] [ " allowedAttributesEffective " ] ) , 2 )
self . assertTrue ( " displayName " in res [ 0 ] [ " allowedAttributesEffective " ] )
self . assertTrue ( " managedBy " in res [ 0 ] [ " allowedAttributesEffective " ] )
2009-09-15 17:34:42 -07:00
if not " :// " in host :
2010-01-08 10:00:35 +11:00
if os . path . isfile ( host ) :
host = " tdb:// %s " % host
else :
host = " ldap:// %s " % host
2010-06-14 15:12:00 +03:00
ldb = SamDB ( host , credentials = creds , session_info = system_session ( ) , lp = lp , options = [ " modules:paged_searches " ] )
2009-09-15 17:34:42 -07:00
runner = SubunitTestRunner ( )
rc = 0
if not runner . run ( unittest . makeSuite ( OwnerGroupDescriptorTests ) ) . wasSuccessful ( ) :
rc = 1
if not runner . run ( unittest . makeSuite ( DaclDescriptorTests ) ) . wasSuccessful ( ) :
rc = 1
2009-11-20 13:25:13 +02:00
if not runner . run ( unittest . makeSuite ( SdFlagsDescriptorTests ) ) . wasSuccessful ( ) :
rc = 1
2009-12-10 15:49:53 +02:00
if not runner . run ( unittest . makeSuite ( RightsAttributesTests ) ) . wasSuccessful ( ) :
rc = 1
2009-09-15 17:34:42 -07:00
sys . exit ( rc )
