1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s4:Descriptor tests clean-up.

A bit of refactoring and modified the tests to use encrypted connection so that they pass against Windows unconditionally.
This commit is contained in:
Nadezhda Ivanova 2010-06-14 15:12:00 +03:00
parent 352fb5c7e4
commit 5ad12f70c5

View File

@ -20,6 +20,9 @@ from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
from samba import Ldb
from samba import gensec
from samba.samdb import SamDB
from samba.credentials import Credentials
from samba.auth import system_session
from samba.dsdb import DS_DOMAIN_FUNCTION_2008
from samba.dcerpc.security import (
@ -45,6 +48,7 @@ host = args[0]
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
#
# Tests start here
@ -210,33 +214,34 @@ showInAdvancedViewOnly: TRUE
desc = res[0]["nTSecurityDescriptor"][0]
return ndr_unpack(security.descriptor, desc)
def enable_account(self, user_dn):
"""Enable an account.
:param user_dn: Dn of the account to enable.
"""
res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
assert len(res) == 1
userAccountControl = res[0]["userAccountControl"][0]
userAccountControl = int(userAccountControl)
if (userAccountControl & 0x2):
userAccountControl = userAccountControl & ~0x2 # remove disabled bit
if (userAccountControl & 0x20):
userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
mod = """
def create_active_user(self, _ldb, user_dn):
ldif = """
dn: """ + user_dn + """
sAMAccountName: """ + user_dn.split(",")[0][3:] + """
objectClass: user
unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
url: www.example.com
"""
_ldb.add_ldif(ldif)
def add_user_to_group(self, _ldb, username, groupname):
ldif = """
dn: """ + self.get_users_domain_dn(groupname) + """
changetype: modify
replace: userAccountControl
userAccountControl: %s""" % userAccountControl
if self.WIN2003:
mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
self.ldb_admin.modify_ldif(mod)
add: member
member: """ + self.get_users_domain_dn(username)
_ldb.modify_ldif(ldif)
def get_ldb_connection(self, target_username, target_password):
username_save = creds.get_username(); password_save = creds.get_password()
creds.set_username(target_username)
creds.set_password(target_password)
ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
creds.set_username(username_save); creds.set_password(password_save)
creds_tmp = Credentials()
creds_tmp.set_username(target_username)
creds_tmp.set_password(target_password)
creds_tmp.set_domain(creds.get_domain())
creds_tmp.set_realm(creds.get_realm())
creds_tmp.set_workstation(creds.get_workstation())
creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
| gensec.FEATURE_SEAL)
ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
return ldb_target
def get_object_sid(self, object_dn):
@ -260,6 +265,11 @@ userAccountControl: %s""" % userAccountControl
desc = self.read_desc(object_dn, controls)
return desc.as_sddl(self.domain_sid)
def create_enable_user(self, username):
user_dn = self.get_users_domain_dn(username)
self.create_active_user(self.ldb_admin, user_dn)
self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
def setUp(self):
self.ldb_admin = ldb
self.base_dn = self.find_basedn(self.ldb_admin)
@ -267,12 +277,6 @@ userAccountControl: %s""" % userAccountControl
self.schema_dn = self.find_schemadn(self.ldb_admin)
self.domain_sid = self.find_domain_sid(self.ldb_admin)
print "baseDN: %s" % self.base_dn
self.SAMBA = False; self.WIN2003 = False
res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
self.SAMBA = True
else:
self.WIN2003 = True
################################################################################################
@ -283,15 +287,14 @@ userAccountControl: %s""" % userAccountControl
class OwnerGroupDescriptorTests(DescriptorTests):
def deleteAll(self):
if self.SAMBA:
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
# DOMAIN
self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
@ -306,107 +309,36 @@ class OwnerGroupDescriptorTests(DescriptorTests):
def setUp(self):
DescriptorTests.setUp(self)
self.deleteAll()
if self.SAMBA:
### Create users
# User 1
user_dn = self.get_users_domain_dn("testuser1")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.create_enable_user("testuser1")
self.add_user_to_group(self.ldb_admin, "testuser1", "Enterprise Admins")
# User 2
user_dn = self.get_users_domain_dn("testuser2")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.create_enable_user("testuser2")
self.add_user_to_group(self.ldb_admin, "testuser2", "Domain Admins")
# User 3
user_dn = self.get_users_domain_dn("testuser3")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.create_enable_user("testuser3")
self.add_user_to_group(self.ldb_admin, "testuser3", "Schema Admins")
# User 4
user_dn = self.get_users_domain_dn("testuser4")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
self.create_enable_user("testuser4")
# User 5
user_dn = self.get_users_domain_dn("testuser5")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn + """
dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.create_enable_user("testuser5")
self.add_user_to_group(self.ldb_admin, "testuser5", "Enterprise Admins")
self.add_user_to_group(self.ldb_admin, "testuser5", "Domain Admins")
# User 6
user_dn = self.get_users_domain_dn("testuser6")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn + """
dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn + """
dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.create_enable_user("testuser6")
self.add_user_to_group(self.ldb_admin, "testuser6", "Enterprise Admins")
self.add_user_to_group(self.ldb_admin, "testuser6", "Domain Admins")
self.add_user_to_group(self.ldb_admin, "testuser6", "Schema Admins")
# User 7
user_dn = self.get_users_domain_dn("testuser7")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn + """
dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.create_enable_user("testuser7")
self.add_user_to_group(self.ldb_admin, "testuser7", "Domain Admins")
self.add_user_to_group(self.ldb_admin, "testuser7", "Schema Admins")
# User 8
user_dn = self.get_users_domain_dn("testuser8")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn + """
self.create_enable_user("testuser8")
self.add_user_to_group(self.ldb_admin, "testuser8", "Enterprise Admins")
self.add_user_to_group(self.ldb_admin, "testuser8", "Schema Admins")
dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.results = {
# msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
"ds_behavior_win2003" : {
@ -1738,7 +1670,6 @@ class DaclDescriptorTests(DescriptorTests):
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
desc_sddl = self.get_desc_sddl(group_dn)
print desc_sddl
self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
@ -1755,7 +1686,6 @@ class DaclDescriptorTests(DescriptorTests):
# Make sure created group object contains only the above inherited ACE(s)
# that we've added manually
desc_sddl = self.get_desc_sddl(group_dn)
print desc_sddl
self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
########################################################################################
@ -1922,31 +1852,19 @@ class SdFlagsDescriptorTests(DescriptorTests):
class RightsAttributesTests(DescriptorTests):
def deleteAll(self):
if self.SAMBA:
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
def setUp(self):
DescriptorTests.setUp(self)
self.deleteAll()
if self.SAMBA:
### Create users
# User 1
user_dn = self.get_users_domain_dn("testuser_attr")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
self.create_enable_user("testuser_attr")
# User 2, Domain Admins
user_dn = self.get_users_domain_dn("testuser_attr2")
self.create_domain_user(self.ldb_admin, user_dn)
self.enable_account(user_dn)
ldif = """
dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
changetype: modify
add: member
member: """ + user_dn
self.ldb_admin.modify_ldif(ldif)
self.create_enable_user("testuser_attr2")
self.add_user_to_group(self.ldb_admin, "testuser_attr2", "Domain Admins")
def tearDown(self):
self.deleteAll()
@ -2024,9 +1942,6 @@ member: """ + user_dn
mod = "(A;CI;RP;;;%s)" % str(user_sid)
self.dacl_add_ace(object_dn, mod)
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
#res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
# attrs=["allowedAttributes"])
#print res
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
attrs=["allowedAttributesEffective"])
#there should be no allowed attributes
@ -2041,7 +1956,6 @@ member: """ + user_dn
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
attrs=["allowedAttributesEffective"])
# value should only contain user and managedBy
print res
self.assertEquals(len(res), 1)
self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
@ -2053,7 +1967,7 @@ if not "://" in host:
else:
host = "ldap://%s" % host
ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
runner = SubunitTestRunner()
rc = 0