2
# -*- coding: utf-8 -*-
11
sys.path.insert(0, "bin/python")
13
samba.ensure_external_module("testtools", "testtools")
14
samba.ensure_external_module("subunit", "subunit/python")
16
import samba.getopt as options
18
# Some error messages that are being tested
19
from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
21
# For running the test unit
22
from samba.ndr import ndr_pack
23
from samba.dcerpc import security
25
from samba import gensec, sd_utils
26
from samba.samdb import SamDB
27
from samba.credentials import Credentials
28
from samba.auth import system_session
29
from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30
from samba.dcerpc.security import (
31
SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32
from subunit.run import SubunitTestRunner
34
from samba.tests import delete_force
37
parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
38
sambaopts = options.SambaOptions(parser)
39
parser.add_option_group(sambaopts)
40
parser.add_option_group(options.VersionOptions(parser))
42
# use command line creds if available
43
credopts = options.CredentialsOptions(parser)
44
parser.add_option_group(credopts)
45
opts, args = parser.parse_args()
53
lp = sambaopts.get_loadparm()
54
creds = credopts.get_credentials(lp)
55
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
61
class DescriptorTests(samba.tests.TestCase):
63
def get_users_domain_dn(self, name):
64
return "CN=%s,CN=Users,%s" % (name, self.base_dn)
66
def get_unique_schema_class_name(self):
68
class_name = "test-class%s" % random.randint(1,100000)
69
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
71
self.ldb_admin.search(base=class_dn, attrs=["*"])
72
except LdbError, (num, _):
73
self.assertEquals(num, ERR_NO_SUCH_OBJECT)
76
def create_schema_class(self, _ldb, object_dn, desc=None):
78
dn: """ + object_dn + """
79
objectClass: classSchema
80
objectCategory: CN=Class-Schema,""" + self.schema_dn + """
81
defaultObjectCategory: """ + object_dn + """
82
distinguishedName: """ + object_dn + """
83
governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
85
objectClassCategory: 1
86
subClassOf: organizationalPerson
93
assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
94
if isinstance(desc, str):
95
ldif += "nTSecurityDescriptor: %s" % desc
96
elif isinstance(desc, security.descriptor):
97
ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
100
def create_configuration_container(self, _ldb, object_dn, desc=None):
102
dn: """ + object_dn + """
103
objectClass: container
104
objectCategory: CN=Container,""" + self.schema_dn + """
105
showInAdvancedViewOnly: TRUE
109
assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
110
if isinstance(desc, str):
111
ldif += "nTSecurityDescriptor: %s" % desc
112
elif isinstance(desc, security.descriptor):
113
ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
116
def create_configuration_specifier(self, _ldb, object_dn, desc=None):
118
dn: """ + object_dn + """
119
objectClass: displaySpecifier
120
showInAdvancedViewOnly: TRUE
123
assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
124
if isinstance(desc, str):
125
ldif += "nTSecurityDescriptor: %s" % desc
126
elif isinstance(desc, security.descriptor):
127
ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
130
def get_ldb_connection(self, target_username, target_password):
131
creds_tmp = Credentials()
132
creds_tmp.set_username(target_username)
133
creds_tmp.set_password(target_password)
134
creds_tmp.set_domain(creds.get_domain())
135
creds_tmp.set_realm(creds.get_realm())
136
creds_tmp.set_workstation(creds.get_workstation())
137
creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
138
| gensec.FEATURE_SEAL)
139
ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
143
super(DescriptorTests, self).setUp()
145
self.base_dn = ldb.domain_dn()
146
self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
147
self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
148
self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
149
self.sd_utils = sd_utils.SDUtils(ldb)
150
print "baseDN: %s" % self.base_dn
152
################################################################################################
156
# Default descriptor tests #####################################################################
158
class OwnerGroupDescriptorTests(DescriptorTests):
161
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
162
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
163
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
164
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
165
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
166
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
167
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
168
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
170
delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
171
delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
172
delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
173
delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
176
delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
177
+ self.configuration_dn)
178
delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
181
super(OwnerGroupDescriptorTests, self).setUp()
184
# User 1 - Enterprise Admins
185
self.ldb_admin.newuser("testuser1", "samba123@")
186
# User 2 - Domain Admins
187
self.ldb_admin.newuser("testuser2", "samba123@")
188
# User 3 - Schema Admins
189
self.ldb_admin.newuser("testuser3", "samba123@")
190
# User 4 - regular user
191
self.ldb_admin.newuser("testuser4", "samba123@")
192
# User 5 - Enterprise Admins and Domain Admins
193
self.ldb_admin.newuser("testuser5", "samba123@")
194
# User 6 - Enterprise Admins, Domain Admins, Schema Admins
195
self.ldb_admin.newuser("testuser6", "samba123@")
196
# User 7 - Domain Admins and Schema Admins
197
self.ldb_admin.newuser("testuser7", "samba123@")
198
# User 5 - Enterprise Admins and Schema Admins
199
self.ldb_admin.newuser("testuser8", "samba123@")
201
self.ldb_admin.add_remove_group_members("Enterprise Admins",
202
"testuser1,testuser5,testuser6,testuser8",
203
add_members_operation=True)
204
self.ldb_admin.add_remove_group_members("Domain Admins",
205
"testuser2,testuser5,testuser6,testuser7",
206
add_members_operation=True)
207
self.ldb_admin.add_remove_group_members("Schema Admins",
208
"testuser3,testuser6,testuser7,testuser8",
209
add_members_operation=True)
212
# msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
213
"ds_behavior_win2003" : {
263
# msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
264
"ds_behavior_win2008" : {
315
# Discover 'msDS-Behavior-Version'
316
res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
317
attrs=['msDS-Behavior-Version'])
318
res = int(res[0]['msDS-Behavior-Version'][0])
319
if res < DS_DOMAIN_FUNCTION_2008:
320
self.DS_BEHAVIOR = "ds_behavior_win2003"
322
self.DS_BEHAVIOR = "ds_behavior_win2008"
325
super(DescriptorTests, self).tearDown()
328
def check_user_belongs(self, user_dn, groups=[]):
329
""" Test wether user is member of the expected group(s) """
331
# User is member of at least one additional group
332
res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
333
res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
336
expected.append(self.get_users_domain_dn(x))
337
expected = [x.upper() for x in sorted(expected)]
338
self.assertEqual(expected, res)
340
# User is not a member of any additional groups but default
341
res = self.ldb_admin.search(user_dn, attrs=["*"])
342
res = [x.upper() for x in res[0].keys()]
343
self.assertFalse( "MEMBEROF" in res)
345
def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
347
sd_user_utils = sd_utils.SDUtils(_ldb)
348
ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
349
if owner_group != "":
350
sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
352
sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
353
# Make sure the modify operation has been applied
354
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
355
self.assertTrue(ace in desc_sddl)
356
# Make sure we have identical result for both "add" and "modify"
357
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
358
print self._testMethodName
359
test_number = self._testMethodName[5:]
360
self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
363
""" Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
365
user_name = "testuser1"
366
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
367
# Open Ldb connection with the tested user
368
_ldb = self.get_ldb_connection(user_name, "samba123@")
369
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
370
delete_force(self.ldb_admin, object_dn)
371
_ldb.newgroup("test_domain_group1", grouptype=4)
372
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
373
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
374
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
375
self.check_modify_inheritance(_ldb, object_dn)
378
""" Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
380
user_name = "testuser2"
381
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
382
# Open Ldb connection with the tested user
383
_ldb = self.get_ldb_connection(user_name, "samba123@")
384
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
385
delete_force(self.ldb_admin, object_dn)
386
_ldb.newgroup("test_domain_group1", grouptype=4)
387
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
388
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
389
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
390
self.check_modify_inheritance(_ldb, object_dn)
393
""" Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
395
user_name = "testuser3"
396
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
397
# Open Ldb connection with the tested user
398
_ldb = self.get_ldb_connection(user_name, "samba123@")
399
object_dn = "OU=test_domain_ou1," + self.base_dn
400
delete_force(self.ldb_admin, object_dn)
401
self.ldb_admin.create_ou(object_dn)
402
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
403
mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
404
self.sd_utils.dacl_add_ace(object_dn, mod)
405
# Create additional object into the first one
406
object_dn = "CN=test_domain_user1," + object_dn
407
delete_force(self.ldb_admin, object_dn)
408
_ldb.newuser("test_domain_user1", "samba123@",
409
userou="OU=test_domain_ou1", setpassword=False)
410
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
411
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
412
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
413
# This fails, research why
414
#self.check_modify_inheritance(_ldb, object_dn)
417
""" Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
419
user_name = "testuser4"
420
self.check_user_belongs(self.get_users_domain_dn(user_name), [])
421
# Open Ldb connection with the tested user
422
_ldb = self.get_ldb_connection(user_name, "samba123@")
423
object_dn = "OU=test_domain_ou1," + self.base_dn
424
delete_force(self.ldb_admin, object_dn)
425
self.ldb_admin.create_ou(object_dn)
426
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
427
mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
428
self.sd_utils.dacl_add_ace(object_dn, mod)
429
# Create additional object into the first one
430
object_dn = "CN=test_domain_user1," + object_dn
431
delete_force(self.ldb_admin, object_dn)
432
_ldb.newuser("test_domain_user1", "samba123@",
433
userou="OU=test_domain_ou1", setpassword=False)
434
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
435
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
436
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
437
#this fails, research why
438
#self.check_modify_inheritance(_ldb, object_dn)
441
""" Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
443
user_name = "testuser5"
444
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
445
# Open Ldb connection with the tested user
446
_ldb = self.get_ldb_connection(user_name, "samba123@")
447
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
448
delete_force(self.ldb_admin, object_dn)
449
_ldb.newgroup("test_domain_group1", grouptype=4)
450
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
451
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
452
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
453
self.check_modify_inheritance(_ldb, object_dn)
456
""" Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
458
user_name = "testuser6"
459
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
460
# Open Ldb connection with the tested user
461
_ldb = self.get_ldb_connection(user_name, "samba123@")
462
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
463
delete_force(self.ldb_admin, object_dn)
464
_ldb.newgroup("test_domain_group1", grouptype=4)
465
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
466
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
467
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
468
self.check_modify_inheritance(_ldb, object_dn)
471
""" Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
473
user_name = "testuser7"
474
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
475
# Open Ldb connection with the tested user
476
_ldb = self.get_ldb_connection(user_name, "samba123@")
477
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
478
delete_force(self.ldb_admin, object_dn)
479
_ldb.newgroup("test_domain_group1", grouptype=4)
480
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
481
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
482
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
483
self.check_modify_inheritance(_ldb, object_dn)
486
""" Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
488
user_name = "testuser8"
489
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
490
# Open Ldb connection with the tested user
491
_ldb = self.get_ldb_connection(user_name, "samba123@")
492
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
493
delete_force(self.ldb_admin, object_dn)
494
_ldb.newgroup("test_domain_group1", grouptype=4)
495
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
496
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
497
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
498
self.check_modify_inheritance(_ldb, object_dn)
500
# Control descriptor tests #####################################################################
503
""" Enterprise admin group member creates object (custom descriptor) in DOMAIN
505
user_name = "testuser1"
506
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
507
# Open Ldb connection with the tested user
508
_ldb = self.get_ldb_connection(user_name, "samba123@")
509
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
510
delete_force(self.ldb_admin, object_dn)
511
# Create a custom security descriptor
512
sddl = "O:DAG:DAD:(A;;RP;;;DU)"
513
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
514
_ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
515
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
516
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
517
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
520
""" Domain admin group member creates object (custom descriptor) in DOMAIN
522
user_name = "testuser2"
523
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
524
# Open Ldb connection with the tested user
525
_ldb = self.get_ldb_connection(user_name, "samba123@")
526
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
527
delete_force(self.ldb_admin, object_dn)
528
# Create a custom security descriptor
529
sddl = "O:DAG:DAD:(A;;RP;;;DU)"
530
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
531
_ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
532
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
533
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
534
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
537
""" Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
539
user_name = "testuser3"
540
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
541
# Open Ldb connection with the tested user
542
_ldb = self.get_ldb_connection(user_name, "samba123@")
543
object_dn = "OU=test_domain_ou1," + self.base_dn
544
delete_force(self.ldb_admin, object_dn)
545
self.ldb_admin.create_ou(object_dn)
546
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
547
mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
548
self.sd_utils.dacl_add_ace(object_dn, mod)
549
# Create a custom security descriptor
550
# NB! Problematic owner part won't accept DA only <User Sid> !!!
551
sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
552
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
553
# Create additional object into the first one
554
object_dn = "CN=test_domain_user1," + object_dn
555
delete_force(self.ldb_admin, object_dn)
556
_ldb.newuser("test_domain_user1", "samba123@",
557
userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
558
desc = self.sd_utils.read_sd_on_dn(object_dn)
559
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
560
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
561
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
564
""" Regular user with CC right creates object (custom descriptor) in DOMAIN
566
user_name = "testuser4"
567
self.check_user_belongs(self.get_users_domain_dn(user_name), [])
568
# Open Ldb connection with the tested user
569
_ldb = self.get_ldb_connection(user_name, "samba123@")
570
object_dn = "OU=test_domain_ou1," + self.base_dn
571
delete_force(self.ldb_admin, object_dn)
572
self.ldb_admin.create_ou(object_dn)
573
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
574
mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
575
self.sd_utils.dacl_add_ace(object_dn, mod)
576
# Create a custom security descriptor
577
# NB! Problematic owner part won't accept DA only <User Sid> !!!
578
sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
579
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
580
# Create additional object into the first one
581
object_dn = "CN=test_domain_user1," + object_dn
582
delete_force(self.ldb_admin, object_dn)
583
_ldb.newuser("test_domain_user1", "samba123@",
584
userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
585
desc = self.sd_utils.read_sd_on_dn(object_dn)
586
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
587
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
588
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
591
""" Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
593
user_name = "testuser5"
594
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
595
# Open Ldb connection with the tested user
596
_ldb = self.get_ldb_connection(user_name, "samba123@")
597
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
598
delete_force(self.ldb_admin, object_dn)
599
# Create a custom security descriptor
600
sddl = "O:DAG:DAD:(A;;RP;;;DU)"
601
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
602
_ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
603
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
604
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
605
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
608
""" Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
610
user_name = "testuser6"
611
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
612
# Open Ldb connection with the tested user
613
_ldb = self.get_ldb_connection(user_name, "samba123@")
614
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
615
delete_force(self.ldb_admin, object_dn)
616
# Create a custom security descriptor
617
sddl = "O:DAG:DAD:(A;;RP;;;DU)"
618
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
619
_ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
620
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
621
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
622
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
625
""" Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
627
user_name = "testuser7"
628
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
629
# Open Ldb connection with the tested user
630
_ldb = self.get_ldb_connection(user_name, "samba123@")
631
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
632
delete_force(self.ldb_admin, object_dn)
633
# Create a custom security descriptor
634
sddl = "O:DAG:DAD:(A;;RP;;;DU)"
635
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
636
_ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
637
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
638
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
639
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
642
""" Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
644
user_name = "testuser8"
645
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
646
# Open Ldb connection with the tested user
647
_ldb = self.get_ldb_connection(user_name, "samba123@")
648
object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
649
delete_force(self.ldb_admin, object_dn)
650
# Create a custom security descriptor
651
sddl = "O:DAG:DAD:(A;;RP;;;DU)"
652
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
653
_ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
654
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
655
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
656
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
659
user_name = "Administrator"
660
object_dn = "OU=test_domain_ou1," + self.base_dn
661
delete_force(self.ldb_admin, object_dn)
662
self.ldb_admin.create_ou(object_dn)
663
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
664
mod = "(D;CI;WP;;;S-1-3-0)"
666
self.sd_utils.dacl_add_ace(object_dn, mod)
667
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
668
# Create additional object into the first one
669
object_dn = "OU=test_domain_ou2," + object_dn
670
delete_force(self.ldb_admin, object_dn)
671
self.ldb_admin.create_ou(object_dn)
672
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
676
# Defalt descriptor tests ##################################################################
679
user_name = "testuser1"
680
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
681
# Open Ldb connection with the tested user
682
_ldb = self.get_ldb_connection(user_name, "samba123@")
683
# Change Schema partition descriptor
684
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
685
mod = "(A;;WDCC;;;AU)"
686
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
687
# Create example Schema class
688
class_name = self.get_unique_schema_class_name()
689
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
690
self.create_schema_class(_ldb, class_dn)
691
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
692
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
693
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
694
self.check_modify_inheritance(_ldb, class_dn)
697
user_name = "testuser2"
698
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
699
# Open Ldb connection with the tested user
700
_ldb = self.get_ldb_connection(user_name, "samba123@")
701
# Change Schema partition descriptor
702
mod = "(A;CI;WDCC;;;AU)"
703
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
704
# Create example Schema class
705
class_name = self.get_unique_schema_class_name()
706
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
707
self.create_schema_class(_ldb, class_dn)
708
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
709
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
710
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
711
self.check_modify_inheritance(_ldb, class_dn)
714
user_name = "testuser3"
715
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
716
# Open Ldb connection with the tested user
717
_ldb = self.get_ldb_connection(user_name, "samba123@")
718
# Change Schema partition descriptor
719
mod = "(A;CI;WDCC;;;AU)"
720
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
721
# Create example Schema class
722
class_name = self.get_unique_schema_class_name()
723
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
724
self.create_schema_class(_ldb, class_dn)
725
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
726
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
727
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
728
#self.check_modify_inheritance(_ldb, class_dn)
731
user_name = "testuser4"
732
self.check_user_belongs(self.get_users_domain_dn(user_name), [])
733
# Open Ldb connection with the tested user
734
_ldb = self.get_ldb_connection(user_name, "samba123@")
735
#Change Schema partition descriptor
736
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
737
mod = "(A;CI;WDCC;;;AU)"
738
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
739
# Create example Schema class
740
class_name = self.get_unique_schema_class_name()
741
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
742
self.create_schema_class(_ldb, class_dn)
743
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
744
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
745
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
746
#self.check_modify_inheritance(_ldb, class_dn)
749
user_name = "testuser5"
750
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
751
# Open Ldb connection with the tested user
752
_ldb = self.get_ldb_connection(user_name, "samba123@")
753
#Change Schema partition descriptor
754
mod = "(A;CI;WDCC;;;AU)"
755
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
756
# Create example Schema class
757
class_name = self.get_unique_schema_class_name()
758
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
759
self.create_schema_class(_ldb, class_dn)
760
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
761
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
762
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
763
self.check_modify_inheritance(_ldb, class_dn)
766
user_name = "testuser6"
767
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
768
# Open Ldb connection with the tested user
769
_ldb = self.get_ldb_connection(user_name, "samba123@")
770
# Change Schema partition descriptor
771
mod = "(A;CI;WDCC;;;AU)"
772
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
773
# Create example Schema class
774
class_name = self.get_unique_schema_class_name()
775
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
776
self.create_schema_class(_ldb, class_dn)
777
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
778
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
779
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
780
self.check_modify_inheritance(_ldb, class_dn)
783
user_name = "testuser7"
784
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
785
# Open Ldb connection with the tested user
786
_ldb = self.get_ldb_connection(user_name, "samba123@")
787
# Change Schema partition descriptor
788
mod = "(A;CI;WDCC;;;AU)"
789
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
790
# Create example Schema class
791
class_name = self.get_unique_schema_class_name()
792
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
793
self.create_schema_class(_ldb, class_dn)
794
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
795
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
796
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
797
self.check_modify_inheritance(_ldb, class_dn)
800
user_name = "testuser8"
801
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
802
# Open Ldb connection with the tested user
803
_ldb = self.get_ldb_connection(user_name, "samba123@")
804
# Change Schema partition descriptor
805
mod = "(A;CI;WDCC;;;AU)"
806
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
807
# Create example Schema class
808
class_name = self.get_unique_schema_class_name()
809
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
810
self.create_schema_class(_ldb, class_dn)
811
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
812
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
813
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
814
self.check_modify_inheritance(_ldb, class_dn)
816
# Custom descriptor tests ##################################################################
819
user_name = "testuser1"
820
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
821
# Open Ldb connection with the tested user
822
_ldb = self.get_ldb_connection(user_name, "samba123@")
823
# Change Schema partition descriptor
825
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
826
# Create a custom security descriptor
827
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
828
# Create example Schema class
829
class_name = self.get_unique_schema_class_name()
830
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
831
self.create_schema_class(_ldb, class_dn, desc_sddl)
832
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
833
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
834
self.assertEqual("O:DAG:DA", res)
837
user_name = "testuser2"
838
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
839
# Open Ldb connection with the tested user
840
_ldb = self.get_ldb_connection(user_name, "samba123@")
841
# Change Schema partition descriptor
843
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
844
# Create a custom security descriptor
845
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
846
# Create example Schema class
847
class_name = self.get_unique_schema_class_name()
848
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
849
self.create_schema_class(_ldb, class_dn, desc_sddl)
850
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
851
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
852
self.assertEqual("O:DAG:DA", res)
855
user_name = "testuser3"
856
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
857
# Open Ldb connection with the tested user
858
_ldb = self.get_ldb_connection(user_name, "samba123@")
859
# Create a custom security descriptor
860
# NB! Problematic owner part won't accept DA only <User Sid> !!!
861
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
862
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
863
# Create example Schema class
864
class_name = self.get_unique_schema_class_name()
865
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
866
self.create_schema_class(_ldb, class_dn, desc_sddl)
867
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
868
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
869
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
872
user_name = "testuser4"
873
self.check_user_belongs(self.get_users_domain_dn(user_name), [])
874
# Open Ldb connection with the tested user
875
_ldb = self.get_ldb_connection(user_name, "samba123@")
876
# Create a custom security descriptor
877
# NB! Problematic owner part won't accept DA only <User Sid> !!!
878
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
879
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
880
# Create example Schema class
881
class_name = self.get_unique_schema_class_name()
882
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
883
self.create_schema_class(_ldb, class_dn, desc_sddl)
884
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
885
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
886
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
889
user_name = "testuser5"
890
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
891
# Open Ldb connection with the tested user
892
_ldb = self.get_ldb_connection(user_name, "samba123@")
893
# Change Schema partition descriptor
895
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
896
# Create a custom security descriptor
897
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
898
# Create example Schema class
899
class_name = self.get_unique_schema_class_name()
900
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
901
self.create_schema_class(_ldb, class_dn, desc_sddl)
902
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
903
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
904
self.assertEqual("O:DAG:DA", res)
907
user_name = "testuser6"
908
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
909
# Open Ldb connection with the tested user
910
_ldb = self.get_ldb_connection(user_name, "samba123@")
911
# Change Schema partition descriptor
913
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
914
# Create a custom security descriptor
915
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
916
# Create example Schema class
917
class_name = self.get_unique_schema_class_name()
918
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
919
self.create_schema_class(_ldb, class_dn, desc_sddl)
920
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
921
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
922
self.assertEqual("O:DAG:DA", res)
925
user_name = "testuser7"
926
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
927
# Open Ldb connection with the tested user
928
_ldb = self.get_ldb_connection(user_name, "samba123@")
929
# Change Schema partition descriptor
931
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
932
# Create a custom security descriptor
933
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
934
# Create example Schema class
935
class_name = self.get_unique_schema_class_name()
936
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
937
self.create_schema_class(_ldb, class_dn, desc_sddl)
938
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
939
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
940
self.assertEqual("O:DAG:DA", res)
943
user_name = "testuser8"
944
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
945
# Open Ldb connection with the tested user
946
_ldb = self.get_ldb_connection(user_name, "samba123@")
947
# Change Schema partition descriptor
949
self.sd_utils.dacl_add_ace(self.schema_dn, mod)
950
# Create a custom security descriptor
951
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
952
# Create example Schema class
953
class_name = self.get_unique_schema_class_name()
954
class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
955
self.create_schema_class(_ldb, class_dn, desc_sddl)
956
desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
957
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
958
self.assertEqual("O:DAG:DA", res)
960
## Tests for CONFIGURATION
962
# Defalt descriptor tests ##################################################################
965
user_name = "testuser1"
966
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
967
# Open Ldb connection with the tested user
968
_ldb = self.get_ldb_connection(user_name, "samba123@")
969
# Create example Configuration container
970
container_name = "test-container1"
971
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
972
delete_force(self.ldb_admin, object_dn)
973
self.create_configuration_container(_ldb, object_dn, )
974
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
975
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
976
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
977
self.check_modify_inheritance(_ldb, object_dn)
980
user_name = "testuser2"
981
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
982
# Open Ldb connection with the tested user
983
_ldb = self.get_ldb_connection(user_name, "samba123@")
984
# Create example Configuration container
985
container_name = "test-container1"
986
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
987
delete_force(self.ldb_admin, object_dn)
988
self.create_configuration_container(_ldb, object_dn, )
989
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
990
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
991
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
992
self.check_modify_inheritance(_ldb, object_dn)
995
user_name = "testuser3"
996
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
997
# Open Ldb connection with the tested user
998
_ldb = self.get_ldb_connection(user_name, "samba123@")
999
# Create example Configuration container
1000
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1001
delete_force(self.ldb_admin, object_dn)
1002
self.create_configuration_container(self.ldb_admin, object_dn, )
1003
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1004
mod = "(A;;WDCC;;;AU)"
1005
self.sd_utils.dacl_add_ace(object_dn, mod)
1006
# Create child object with user's credentials
1007
object_dn = "CN=test-specifier1," + object_dn
1008
delete_force(self.ldb_admin, object_dn)
1009
self.create_configuration_specifier(_ldb, object_dn)
1010
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1011
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1012
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1013
#self.check_modify_inheritance(_ldb, object_dn)
1016
user_name = "testuser4"
1017
self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1018
# Open Ldb connection with the tested user
1019
_ldb = self.get_ldb_connection(user_name, "samba123@")
1020
# Create example Configuration container
1021
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1022
delete_force(self.ldb_admin, object_dn)
1023
self.create_configuration_container(self.ldb_admin, object_dn, )
1024
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1025
mod = "(A;CI;WDCC;;;AU)"
1026
self.sd_utils.dacl_add_ace(object_dn, mod)
1027
# Create child object with user's credentials
1028
object_dn = "CN=test-specifier1," + object_dn
1029
delete_force(self.ldb_admin, object_dn)
1030
self.create_configuration_specifier(_ldb, object_dn)
1031
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1032
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1033
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1034
#self.check_modify_inheritance(_ldb, object_dn)
1037
user_name = "testuser5"
1038
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1039
# Open Ldb connection with the tested user
1040
_ldb = self.get_ldb_connection(user_name, "samba123@")
1041
# Create example Configuration container
1042
container_name = "test-container1"
1043
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1044
delete_force(self.ldb_admin, object_dn)
1045
self.create_configuration_container(_ldb, object_dn, )
1046
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1047
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1048
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1049
self.check_modify_inheritance(_ldb, object_dn)
1052
user_name = "testuser6"
1053
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1054
# Open Ldb connection with the tested user
1055
_ldb = self.get_ldb_connection(user_name, "samba123@")
1056
# Create example Configuration container
1057
container_name = "test-container1"
1058
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1059
delete_force(self.ldb_admin, object_dn)
1060
self.create_configuration_container(_ldb, object_dn, )
1061
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1062
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1063
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1064
self.check_modify_inheritance(_ldb, object_dn)
1067
user_name = "testuser7"
1068
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1069
# Open Ldb connection with the tested user
1070
_ldb = self.get_ldb_connection(user_name, "samba123@")
1071
# Create example Configuration container
1072
container_name = "test-container1"
1073
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1074
delete_force(self.ldb_admin, object_dn)
1075
self.create_configuration_container(_ldb, object_dn, )
1076
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1077
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1078
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1079
self.check_modify_inheritance(_ldb, object_dn)
1082
user_name = "testuser8"
1083
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1084
# Open Ldb connection with the tested user
1085
_ldb = self.get_ldb_connection(user_name, "samba123@")
1086
# Create example Configuration container
1087
container_name = "test-container1"
1088
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1089
delete_force(self.ldb_admin, object_dn)
1090
self.create_configuration_container(_ldb, object_dn, )
1091
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1092
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1093
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1094
self.check_modify_inheritance(_ldb, object_dn)
1096
# Custom descriptor tests ##################################################################
1099
user_name = "testuser1"
1100
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1101
# Open Ldb connection with the tested user
1102
_ldb = self.get_ldb_connection(user_name, "samba123@")
1103
# Create example Configuration container
1104
container_name = "test-container1"
1105
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1106
delete_force(self.ldb_admin, object_dn)
1107
# Create a custom security descriptor
1108
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1109
self.create_configuration_container(_ldb, object_dn, desc_sddl)
1110
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1111
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1112
self.assertEqual("O:DAG:DA", res)
1115
user_name = "testuser2"
1116
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1117
# Open Ldb connection with the tested user
1118
_ldb = self.get_ldb_connection(user_name, "samba123@")
1119
# Create example Configuration container
1120
container_name = "test-container1"
1121
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1122
delete_force(self.ldb_admin, object_dn)
1123
# Create a custom security descriptor
1124
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1125
self.create_configuration_container(_ldb, object_dn, desc_sddl)
1126
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1127
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1128
self.assertEqual("O:DAG:DA", res)
1131
user_name = "testuser3"
1132
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1133
# Open Ldb connection with the tested user
1134
_ldb = self.get_ldb_connection(user_name, "samba123@")
1135
# Create example Configuration container
1136
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1137
delete_force(self.ldb_admin, object_dn)
1138
self.create_configuration_container(self.ldb_admin, object_dn, )
1139
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1140
mod = "(A;;CC;;;AU)"
1141
self.sd_utils.dacl_add_ace(object_dn, mod)
1142
# Create child object with user's credentials
1143
object_dn = "CN=test-specifier1," + object_dn
1144
delete_force(self.ldb_admin, object_dn)
1145
# Create a custom security descriptor
1146
# NB! Problematic owner part won't accept DA only <User Sid> !!!
1147
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1148
self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1149
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1150
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1151
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1154
user_name = "testuser4"
1155
self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1156
# Open Ldb connection with the tested user
1157
_ldb = self.get_ldb_connection(user_name, "samba123@")
1158
# Create example Configuration container
1159
object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1160
delete_force(self.ldb_admin, object_dn)
1161
self.create_configuration_container(self.ldb_admin, object_dn, )
1162
user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1163
mod = "(A;;CC;;;AU)"
1164
self.sd_utils.dacl_add_ace(object_dn, mod)
1165
# Create child object with user's credentials
1166
object_dn = "CN=test-specifier1," + object_dn
1167
delete_force(self.ldb_admin, object_dn)
1168
# Create a custom security descriptor
1169
# NB! Problematic owner part won't accept DA only <User Sid> !!!
1170
desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1171
self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1172
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1173
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1174
self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1177
user_name = "testuser5"
1178
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1179
# Open Ldb connection with the tested user
1180
_ldb = self.get_ldb_connection(user_name, "samba123@")
1181
# Create example Configuration container
1182
container_name = "test-container1"
1183
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1184
delete_force(self.ldb_admin, object_dn)
1185
# Create a custom security descriptor
1186
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1187
self.create_configuration_container(_ldb, object_dn, desc_sddl)
1188
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1189
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1190
self.assertEqual("O:DAG:DA", res)
1193
user_name = "testuser6"
1194
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1195
# Open Ldb connection with the tested user
1196
_ldb = self.get_ldb_connection(user_name, "samba123@")
1197
# Create example Configuration container
1198
container_name = "test-container1"
1199
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1200
delete_force(self.ldb_admin, object_dn)
1201
# Create a custom security descriptor
1202
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1203
self.create_configuration_container(_ldb, object_dn, desc_sddl)
1204
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1205
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1206
self.assertEqual("O:DAG:DA", res)
1209
user_name = "testuser7"
1210
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1211
# Open Ldb connection with the tested user
1212
_ldb = self.get_ldb_connection(user_name, "samba123@")
1213
# Create example Configuration container
1214
container_name = "test-container1"
1215
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1216
delete_force(self.ldb_admin, object_dn)
1217
# Create a custom security descriptor
1218
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1219
self.create_configuration_container(_ldb, object_dn, desc_sddl)
1220
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1221
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1222
self.assertEqual("O:DAG:DA", res)
1225
user_name = "testuser8"
1226
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1227
# Open Ldb connection with the tested user
1228
_ldb = self.get_ldb_connection(user_name, "samba123@")
1229
# Create example Configuration container
1230
container_name = "test-container1"
1231
object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1232
delete_force(self.ldb_admin, object_dn)
1233
# Create a custom security descriptor
1234
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1235
self.create_configuration_container(_ldb, object_dn, desc_sddl)
1236
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1237
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1238
self.assertEqual("O:DAG:DA", res)
1240
########################################################################################
1241
# Inheritance tests for DACL
1243
class DaclDescriptorTests(DescriptorTests):
1245
def deleteAll(self):
1246
delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1247
delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1248
delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1249
delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1250
delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1251
delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
1252
delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
1253
delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
1254
delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1257
super(DaclDescriptorTests, self).setUp()
1260
def create_clean_ou(self, object_dn):
1261
""" Base repeating setup for unittests to follow """
1262
res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1263
expression="distinguishedName=%s" % object_dn)
1264
# Make sure top testing OU has been deleted before starting the test
1265
self.assertEqual(len(res), 0)
1266
self.ldb_admin.create_ou(object_dn)
1267
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1268
# Make sure there are inheritable ACEs initially
1269
self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1270
# Find and remove all inherit ACEs
1271
res = re.findall("\(.*?\)", desc_sddl)
1272
res = [x for x in res if ("CI" in x) or ("OI" in x)]
1274
desc_sddl = desc_sddl.replace(x, "")
1275
# Add flag 'protected' in both DACL and SACL so no inherit ACEs
1276
# can propagate from above
1277
# remove SACL, we are not interested
1278
desc_sddl = desc_sddl.replace(":AI", ":AIP")
1279
self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1280
# Verify all inheritable ACEs are gone
1281
desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1282
self.assertFalse("CI" in desc_sddl)
1283
self.assertFalse("OI" in desc_sddl)
1286
""" OU with protected flag and child group. See if the group has inherit ACEs.
1288
ou_dn = "OU=test_inherit_ou," + self.base_dn
1289
group_dn = "CN=test_inherit_group," + ou_dn
1290
# Create inheritable-free OU
1291
self.create_clean_ou(ou_dn)
1292
# Create group child object
1293
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1294
# Make sure created group object contains NO inherit ACEs
1295
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1296
self.assertFalse("ID" in desc_sddl)
1299
""" OU with protected flag and no inherit ACEs, child group with custom descriptor.
1300
Verify group has custom and default ACEs only.
1302
ou_dn = "OU=test_inherit_ou," + self.base_dn
1303
group_dn = "CN=test_inherit_group," + ou_dn
1304
# Create inheritable-free OU
1305
self.create_clean_ou(ou_dn)
1306
# Create group child object using custom security descriptor
1307
sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1308
tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1309
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1310
# Make sure created group descriptor has NO additional ACEs
1311
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1312
self.assertEqual(desc_sddl, sddl)
1313
sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1314
self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1315
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1316
self.assertEqual(desc_sddl, sddl)
1319
""" OU with protected flag and add couple non-inheritable ACEs, child group.
1320
See if the group has any of the added ACEs.
1322
ou_dn = "OU=test_inherit_ou," + self.base_dn
1323
group_dn = "CN=test_inherit_group," + ou_dn
1324
# Create inheritable-free OU
1325
self.create_clean_ou(ou_dn)
1326
# Add some custom non-inheritable ACEs
1327
mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1328
moded = "(D;;CC;;;LG)"
1329
self.sd_utils.dacl_add_ace(ou_dn, mod)
1330
# Verify all inheritable ACEs are gone
1331
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1332
# Create group child object
1333
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1334
# Make sure created group object contains NO inherit ACEs
1335
# also make sure the added above non-inheritable ACEs are absent too
1336
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1337
self.assertFalse("ID" in desc_sddl)
1338
for x in re.findall("\(.*?\)", mod):
1339
self.assertFalse(x in desc_sddl)
1340
self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1341
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1342
self.assertFalse("ID" in desc_sddl)
1343
for x in re.findall("\(.*?\)", mod):
1344
self.assertFalse(x in desc_sddl)
1347
""" OU with protected flag and add 'CI' ACE, child group.
1348
See if the group has the added inherited ACE.
1350
ou_dn = "OU=test_inherit_ou," + self.base_dn
1351
group_dn = "CN=test_inherit_group," + ou_dn
1352
# Create inheritable-free OU
1353
self.create_clean_ou(ou_dn)
1354
# Add some custom 'CI' ACE
1355
mod = "(D;CI;WP;;;DU)"
1356
moded = "(D;;CC;;;LG)"
1357
self.sd_utils.dacl_add_ace(ou_dn, mod)
1358
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1359
# Create group child object
1360
tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1361
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1362
# Make sure created group object contains only the above inherited ACE
1363
# that we've added manually
1364
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1365
mod = mod.replace(";CI;", ";CIID;")
1366
self.assertTrue(mod in desc_sddl)
1367
self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1368
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1369
self.assertTrue(moded in desc_sddl)
1370
self.assertTrue(mod in desc_sddl)
1373
""" OU with protected flag and add 'OI' ACE, child group.
1374
See if the group has the added inherited ACE.
1376
ou_dn = "OU=test_inherit_ou," + self.base_dn
1377
group_dn = "CN=test_inherit_group," + ou_dn
1378
# Create inheritable-free OU
1379
self.create_clean_ou(ou_dn)
1380
# Add some custom 'CI' ACE
1381
mod = "(D;OI;WP;;;DU)"
1382
moded = "(D;;CC;;;LG)"
1383
self.sd_utils.dacl_add_ace(ou_dn, mod)
1384
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1385
# Create group child object
1386
tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1387
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1388
# Make sure created group object contains only the above inherited ACE
1389
# that we've added manually
1390
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1391
mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1392
self.assertTrue(mod in desc_sddl)
1393
self.sd_utils.modify_sd_on_dn(group_dn, "D:" +moded)
1394
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1395
self.assertTrue(moded in desc_sddl)
1396
self.assertTrue(mod in desc_sddl)
1399
""" OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1400
See if the group has the added inherited ACE.
1402
ou_dn = "OU=test_inherit_ou," + self.base_dn
1403
group_dn = "CN=test_inherit_group," + ou_dn
1404
# Create inheritable-free OU
1405
self.create_clean_ou(ou_dn)
1406
# Add some custom 'OA' for 'name' attribute & 'CI' ACE
1407
mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1408
moded = "(D;;CC;;;LG)"
1409
self.sd_utils.dacl_add_ace(ou_dn, mod)
1410
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1411
# Create group child object
1412
tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1413
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1414
# Make sure created group object contains only the above inherited ACE
1415
# that we've added manually
1416
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1417
mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1418
self.assertTrue(mod in desc_sddl)
1419
self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1420
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1421
self.assertTrue(moded in desc_sddl)
1422
self.assertTrue(mod in desc_sddl)
1425
""" OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1426
See if the group has the added inherited ACE.
1428
ou_dn = "OU=test_inherit_ou," + self.base_dn
1429
group_dn = "CN=test_inherit_group," + ou_dn
1430
# Create inheritable-free OU
1431
self.create_clean_ou(ou_dn)
1432
# Add some custom 'OA' for 'name' attribute & 'OI' ACE
1433
mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1434
moded = "(D;;CC;;;LG)"
1435
self.sd_utils.dacl_add_ace(ou_dn, mod)
1436
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1437
# Create group child object
1438
tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1439
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1440
# Make sure created group object contains only the above inherited ACE
1441
# that we've added manually
1442
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1443
mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1444
self.assertTrue(mod in desc_sddl)
1445
self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1446
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1447
self.assertTrue(moded in desc_sddl)
1448
self.assertTrue(mod in desc_sddl)
1451
""" OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1452
See if the group has the added inherited ACE.
1454
ou_dn = "OU=test_inherit_ou," + self.base_dn
1455
group_dn = "CN=test_inherit_group," + ou_dn
1456
# Create inheritable-free OU
1457
self.create_clean_ou(ou_dn)
1458
# Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1459
mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1460
moded = "(D;;CC;;;LG)"
1461
self.sd_utils.dacl_add_ace(ou_dn, mod)
1462
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1463
# Create group child object
1464
tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1465
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1466
# Make sure created group object contains only the above inherited ACE
1467
# that we've added manually
1468
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1469
mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1470
self.assertTrue(mod in desc_sddl)
1471
self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1472
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1473
self.assertTrue(moded in desc_sddl)
1474
self.assertTrue(mod in desc_sddl)
1477
""" OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1478
See if the group has the added inherited ACE.
1480
ou_dn = "OU=test_inherit_ou," + self.base_dn
1481
group_dn = "CN=test_inherit_group," + ou_dn
1482
# Create inheritable-free OU
1483
self.create_clean_ou(ou_dn)
1484
# Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1485
mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1486
moded = "(D;;CC;;;LG)"
1487
self.sd_utils.dacl_add_ace(ou_dn, mod)
1488
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1489
# Create group child object
1490
tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1491
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1492
# Make sure created group object contains only the above inherited ACE
1493
# that we've added manually
1494
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1495
mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1496
self.assertTrue(mod in desc_sddl)
1497
self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1498
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1499
self.assertTrue(moded in desc_sddl)
1500
self.assertTrue(mod in desc_sddl)
1503
""" OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1504
See if the group has the added inherited ACE.
1506
ou_dn = "OU=test_inherit_ou," + self.base_dn
1507
group_dn = "CN=test_inherit_group," + ou_dn
1508
# Create inheritable-free OU
1509
self.create_clean_ou(ou_dn)
1510
# Add some custom 'CI' ACE
1511
mod = "(D;CI;WP;;;CO)"
1512
moded = "(D;;CC;;;LG)"
1513
self.sd_utils.dacl_add_ace(ou_dn, mod)
1514
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1515
# Create group child object
1516
tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1517
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1518
# Make sure created group object contains only the above inherited ACE(s)
1519
# that we've added manually
1520
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1521
self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1522
self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1523
self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1524
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1525
self.assertTrue(moded in desc_sddl)
1526
self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1527
self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1530
""" OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1532
ou_dn = "OU=test_inherit_ou," + self.base_dn
1533
group_dn = "CN=test_inherit_group," + ou_dn
1534
self.create_clean_ou(ou_dn)
1535
# Add some custom ACE
1536
mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1537
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1538
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1539
# Make sure created group object does not contain the ID ace
1540
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1541
self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1544
""" Provide ACE with CO SID, should be expanded and replaced
1546
ou_dn = "OU=test_inherit_ou," + self.base_dn
1547
group_dn = "CN=test_inherit_group," + ou_dn
1548
# Create inheritable-free OU
1549
self.create_clean_ou(ou_dn)
1550
# Add some custom 'CI' ACE
1551
mod = "D:(D;CI;WP;;;CO)"
1552
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1553
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1554
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1555
self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
1556
self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1559
""" Provide ACE with IO flag, should be ignored
1561
ou_dn = "OU=test_inherit_ou," + self.base_dn
1562
group_dn = "CN=test_inherit_group," + ou_dn
1563
# Create inheritable-free OU
1564
self.create_clean_ou(ou_dn)
1565
# Add some custom 'CI' ACE
1566
mod = "D:(D;CIIO;WP;;;CO)"
1567
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1568
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1569
# Make sure created group object contains only the above inherited ACE(s)
1570
# that we've added manually
1571
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1572
self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1573
self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1574
self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1577
""" Provide ACE with IO flag, should be ignored
1579
ou_dn = "OU=test_inherit_ou," + self.base_dn
1580
group_dn = "CN=test_inherit_group," + ou_dn
1581
# Create inheritable-free OU
1582
self.create_clean_ou(ou_dn)
1583
mod = "D:(D;IO;WP;;;DA)"
1584
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1585
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1586
# Make sure created group object contains only the above inherited ACE(s)
1587
# that we've added manually
1588
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1589
self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1592
""" Test behavior of ACEs containing generic rights
1594
ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1595
ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1596
ou_dn2 = "OU=test_inherit_ou2," + ou_dn
1597
ou_dn3 = "OU=test_inherit_ou3," + ou_dn
1598
ou_dn4 = "OU=test_inherit_ou4," + ou_dn
1599
ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1600
ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
1601
# Create inheritable-free OU
1602
mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1603
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1604
self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1605
mod = "D:(A;CI;GA;;;DU)"
1606
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1607
self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1608
mod = "D:(A;CIIO;GA;;;DU)"
1609
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1610
self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
1611
mod = "D:(A;;GA;;;DU)"
1612
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1613
self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
1614
mod = "D:(A;IO;GA;;;DU)"
1615
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1616
self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
1618
self.ldb_admin.create_ou(ou_dn5)
1619
self.ldb_admin.create_ou(ou_dn6)
1621
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
1622
self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1623
self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1624
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
1625
self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1626
self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1627
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
1628
self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1629
self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1630
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
1631
self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1632
self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1633
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1634
self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1635
self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1636
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
1637
self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1638
self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1641
""" Make sure IO flag is removed in child objects
1643
ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1644
ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1645
ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1646
# Create inheritable-free OU
1647
mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1648
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1649
self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1650
mod = "D:(A;CIIO;WP;;;DU)"
1651
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1652
self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1653
self.ldb_admin.create_ou(ou_dn5)
1654
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1655
self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
1656
self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
1659
""" Make sure ID ACES provided by user are ignored
1661
ou_dn = "OU=test_inherit_ou," + self.base_dn
1662
group_dn = "CN=test_inherit_group," + ou_dn
1663
mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1664
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1665
self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1666
# Add some custom ACE
1667
mod = "D:(D;ID;WP;;;AU)"
1668
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1669
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1670
# Make sure created group object does not contain the ID ace
1671
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1672
self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1673
self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
1676
""" Make sure ID ACES provided by user are not ignored if P flag is set
1678
ou_dn = "OU=test_inherit_ou," + self.base_dn
1679
group_dn = "CN=test_inherit_group," + ou_dn
1680
mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1681
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1682
self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1683
# Add some custom ACE
1684
mod = "D:P(A;ID;WP;;;AU)"
1685
tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1686
self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1687
# Make sure created group object does not contain the ID ace
1688
desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1689
self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1690
self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
1692
########################################################################################
1695
class SdFlagsDescriptorTests(DescriptorTests):
1696
def deleteAll(self):
1697
delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1700
super(SdFlagsDescriptorTests, self).setUp()
1701
self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1705
""" Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1706
See that only the owner has been changed.
1708
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1709
self.ldb_admin.create_ou(ou_dn)
1710
self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1711
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1712
# make sure we have modified the owner
1713
self.assertTrue("O:AU" in desc_sddl)
1714
# make sure nothing else has been modified
1715
self.assertFalse("G:AU" in desc_sddl)
1716
self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1717
self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1720
""" Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1721
See that only the owner has been changed.
1723
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1724
self.ldb_admin.create_ou(ou_dn)
1725
self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1726
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1727
# make sure we have modified the group
1728
self.assertTrue("G:AU" in desc_sddl)
1729
# make sure nothing else has been modified
1730
self.assertFalse("O:AU" in desc_sddl)
1731
self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1732
self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1735
""" Modify a descriptor with SACL_SECURITY_INFORMATION set.
1736
See that only the owner has been changed.
1738
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1739
self.ldb_admin.create_ou(ou_dn)
1740
self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1741
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1742
# make sure we have modified the DACL
1743
self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1744
# make sure nothing else has been modified
1745
self.assertFalse("O:AU" in desc_sddl)
1746
self.assertFalse("G:AU" in desc_sddl)
1747
self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1750
""" Modify a descriptor with SACL_SECURITY_INFORMATION set.
1751
See that only the owner has been changed.
1753
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1754
self.ldb_admin.create_ou(ou_dn)
1755
self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1756
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1757
# make sure we have modified the DACL
1758
self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1759
# make sure nothing else has been modified
1760
self.assertFalse("O:AU" in desc_sddl)
1761
self.assertFalse("G:AU" in desc_sddl)
1762
self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1765
""" Modify a descriptor with 0x0 set.
1766
Contrary to logic this is interpreted as no control,
1767
which is the same as 0xF
1769
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1770
self.ldb_admin.create_ou(ou_dn)
1771
self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1772
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1773
# make sure we have modified the DACL
1774
self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1775
# make sure nothing else has been modified
1776
self.assertTrue("O:AU" in desc_sddl)
1777
self.assertTrue("G:AU" in desc_sddl)
1778
self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1781
""" Modify a descriptor with 0xF set.
1783
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1784
self.ldb_admin.create_ou(ou_dn)
1785
self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1786
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1787
# make sure we have modified the DACL
1788
self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1789
# make sure nothing else has been modified
1790
self.assertTrue("O:AU" in desc_sddl)
1791
self.assertTrue("G:AU" in desc_sddl)
1792
self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1795
""" Read a descriptor with OWNER_SECURITY_INFORMATION
1796
Only the owner part should be returned.
1798
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1799
self.ldb_admin.create_ou(ou_dn)
1800
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1801
# make sure we have read the owner
1802
self.assertTrue("O:" in desc_sddl)
1803
# make sure we have read nothing else
1804
self.assertFalse("G:" in desc_sddl)
1805
self.assertFalse("D:" in desc_sddl)
1806
self.assertFalse("S:" in desc_sddl)
1809
""" Read a descriptor with GROUP_SECURITY_INFORMATION
1810
Only the group part should be returned.
1812
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1813
self.ldb_admin.create_ou(ou_dn)
1814
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1815
# make sure we have read the owner
1816
self.assertTrue("G:" in desc_sddl)
1817
# make sure we have read nothing else
1818
self.assertFalse("O:" in desc_sddl)
1819
self.assertFalse("D:" in desc_sddl)
1820
self.assertFalse("S:" in desc_sddl)
1823
""" Read a descriptor with SACL_SECURITY_INFORMATION
1824
Only the sacl part should be returned.
1826
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1827
self.ldb_admin.create_ou(ou_dn)
1828
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1829
# make sure we have read the owner
1830
self.assertTrue("S:" in desc_sddl)
1831
# make sure we have read nothing else
1832
self.assertFalse("O:" in desc_sddl)
1833
self.assertFalse("D:" in desc_sddl)
1834
self.assertFalse("G:" in desc_sddl)
1837
""" Read a descriptor with DACL_SECURITY_INFORMATION
1838
Only the dacl part should be returned.
1840
ou_dn = "OU=test_sdflags_ou," + self.base_dn
1841
self.ldb_admin.create_ou(ou_dn)
1842
desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1843
# make sure we have read the owner
1844
self.assertTrue("D:" in desc_sddl)
1845
# make sure we have read nothing else
1846
self.assertFalse("O:" in desc_sddl)
1847
self.assertFalse("S:" in desc_sddl)
1848
self.assertFalse("G:" in desc_sddl)
1851
class RightsAttributesTests(DescriptorTests):
1853
def deleteAll(self):
1854
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1855
delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1856
delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1859
super(RightsAttributesTests, self).setUp()
1863
self.ldb_admin.newuser("testuser_attr", "samba123@")
1864
# User 2, Domain Admins
1865
self.ldb_admin.newuser("testuser_attr2", "samba123@")
1866
self.ldb_admin.add_remove_group_members("Domain Admins",
1868
add_members_operation=True)
1870
def test_sDRightsEffective(self):
1871
object_dn = "OU=test_domain_ou1," + self.base_dn
1872
delete_force(self.ldb_admin, object_dn)
1873
self.ldb_admin.create_ou(object_dn)
1874
print self.get_users_domain_dn("testuser_attr")
1875
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1876
#give testuser1 read access so attributes can be retrieved
1877
mod = "(A;CI;RP;;;%s)" % str(user_sid)
1878
self.sd_utils.dacl_add_ace(object_dn, mod)
1879
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1880
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1881
attrs=["sDRightsEffective"])
1882
#user whould have no rights at all
1883
self.assertEquals(len(res), 1)
1884
self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1885
#give the user Write DACL and see what happens
1886
mod = "(A;CI;WD;;;%s)" % str(user_sid)
1887
self.sd_utils.dacl_add_ace(object_dn, mod)
1888
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1889
attrs=["sDRightsEffective"])
1890
#user whould have DACL_SECURITY_INFORMATION
1891
self.assertEquals(len(res), 1)
1892
self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1893
#give the user Write Owners and see what happens
1894
mod = "(A;CI;WO;;;%s)" % str(user_sid)
1895
self.sd_utils.dacl_add_ace(object_dn, mod)
1896
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1897
attrs=["sDRightsEffective"])
1898
#user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1899
self.assertEquals(len(res), 1)
1900
self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1901
#no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1902
_ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1903
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1904
attrs=["sDRightsEffective"])
1905
#user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1906
self.assertEquals(len(res), 1)
1907
self.assertEquals(res[0]["sDRightsEffective"][0], \
1908
("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1910
def test_allowedChildClassesEffective(self):
1911
object_dn = "OU=test_domain_ou1," + self.base_dn
1912
delete_force(self.ldb_admin, object_dn)
1913
self.ldb_admin.create_ou(object_dn)
1914
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1915
#give testuser1 read access so attributes can be retrieved
1916
mod = "(A;CI;RP;;;%s)" % str(user_sid)
1917
self.sd_utils.dacl_add_ace(object_dn, mod)
1918
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1919
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1920
attrs=["allowedChildClassesEffective"])
1921
#there should be no allowed child classes
1922
self.assertEquals(len(res), 1)
1923
self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1924
#give the user the right to create children of type user
1925
mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1926
self.sd_utils.dacl_add_ace(object_dn, mod)
1927
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1928
attrs=["allowedChildClassesEffective"])
1929
# allowedChildClassesEffective should only have one value, user
1930
self.assertEquals(len(res), 1)
1931
self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1932
self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1934
def test_allowedAttributesEffective(self):
1935
object_dn = "OU=test_domain_ou1," + self.base_dn
1936
delete_force(self.ldb_admin, object_dn)
1937
self.ldb_admin.create_ou(object_dn)
1938
user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1939
#give testuser1 read access so attributes can be retrieved
1940
mod = "(A;CI;RP;;;%s)" % str(user_sid)
1941
self.sd_utils.dacl_add_ace(object_dn, mod)
1942
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1943
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1944
attrs=["allowedAttributesEffective"])
1945
#there should be no allowed attributes
1946
self.assertEquals(len(res), 1)
1947
self.assertFalse("allowedAttributesEffective" in res[0].keys())
1948
#give the user the right to write displayName and managedBy
1949
mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1950
mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1951
# also rights to modify an read only attribute, fromEntry
1952
mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1953
self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
1954
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1955
attrs=["allowedAttributesEffective"])
1956
# value should only contain user and managedBy
1957
self.assertEquals(len(res), 1)
1958
self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1959
self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1960
self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1962
if not "://" in host:
1963
if os.path.isfile(host):
1964
host = "tdb://%s" % host
1966
host = "ldap://%s" % host
1968
# use 'paged_search' module when connecting remotely
1969
if host.lower().startswith("ldap://"):
1970
ldb_options = ["modules:paged_searches"]
1974
session_info=system_session(lp),
1976
options=ldb_options)
1978
runner = SubunitTestRunner()
1980
if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1982
if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1984
if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1986
if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
added
removed
source4/dsdb/tests/python/sec_descriptor.py
