2 # -*- coding: utf-8 -*-
11 sys.path.insert(0, "bin/python")
14 from samba.tests.subunitrun import SubunitOptions, TestProgram
16 import samba.getopt as options
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
25 from samba import gensec, sd_utils
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials, DONT_USE_KERBEROS
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
33 from samba.tests import delete_force
35 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
36 sambaopts = options.SambaOptions(parser)
37 parser.add_option_group(sambaopts)
38 parser.add_option_group(options.VersionOptions(parser))
40 # use command line creds if available
41 credopts = options.CredentialsOptions(parser)
42 parser.add_option_group(credopts)
43 subunitopts = SubunitOptions(parser)
44 parser.add_option_group(subunitopts)
46 opts, args = parser.parse_args()
54 lp = sambaopts.get_loadparm()
55 creds = credopts.get_credentials(lp)
56 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
62 class DescriptorTests(samba.tests.TestCase):
64 def get_users_domain_dn(self, name):
65 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
67 def get_unique_schema_class_name(self):
69 class_name = "test-class%s" % random.randint(1,100000)
70 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
72 self.ldb_admin.search(base=class_dn, attrs=["*"])
73 except LdbError, (num, _):
74 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
77 def create_schema_class(self, _ldb, object_dn, desc=None):
79 dn: """ + object_dn + """
80 objectClass: classSchema
81 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
82 defaultObjectCategory: """ + object_dn + """
83 distinguishedName: """ + object_dn + """
84 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
86 objectClassCategory: 1
87 subClassOf: organizationalPerson
94 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
95 if isinstance(desc, str):
96 ldif += "nTSecurityDescriptor: %s" % desc
97 elif isinstance(desc, security.descriptor):
98 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
101 def create_configuration_container(self, _ldb, object_dn, desc=None):
103 dn: """ + object_dn + """
104 objectClass: container
105 objectCategory: CN=Container,""" + self.schema_dn + """
106 showInAdvancedViewOnly: TRUE
110 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
111 if isinstance(desc, str):
112 ldif += "nTSecurityDescriptor: %s" % desc
113 elif isinstance(desc, security.descriptor):
114 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
117 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
119 dn: """ + object_dn + """
120 objectClass: displaySpecifier
121 showInAdvancedViewOnly: TRUE
124 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
125 if isinstance(desc, str):
126 ldif += "nTSecurityDescriptor: %s" % desc
127 elif isinstance(desc, security.descriptor):
128 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
131 def get_ldb_connection(self, target_username, target_password):
132 creds_tmp = Credentials()
133 creds_tmp.set_username(target_username)
134 creds_tmp.set_password(target_password)
135 creds_tmp.set_domain(creds.get_domain())
136 creds_tmp.set_realm(creds.get_realm())
137 creds_tmp.set_workstation(creds.get_workstation())
138 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
139 | gensec.FEATURE_SEAL)
140 creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
141 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
145 super(DescriptorTests, self).setUp()
146 self.ldb_admin = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp,
148 self.base_dn = self.ldb_admin.domain_dn()
149 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
150 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
151 self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
152 self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
153 print "baseDN: %s" % self.base_dn
155 ################################################################################################
159 # Default descriptor tests #####################################################################
161 class OwnerGroupDescriptorTests(DescriptorTests):
164 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
165 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
166 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
167 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
168 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
169 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
170 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
171 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
173 delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
174 delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
175 delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
176 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
179 delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
180 + self.configuration_dn)
181 delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
184 super(OwnerGroupDescriptorTests, self).setUp()
187 # User 1 - Enterprise Admins
188 self.ldb_admin.newuser("testuser1", "samba123@")
189 # User 2 - Domain Admins
190 self.ldb_admin.newuser("testuser2", "samba123@")
191 # User 3 - Schema Admins
192 self.ldb_admin.newuser("testuser3", "samba123@")
193 # User 4 - regular user
194 self.ldb_admin.newuser("testuser4", "samba123@")
195 # User 5 - Enterprise Admins and Domain Admins
196 self.ldb_admin.newuser("testuser5", "samba123@")
197 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
198 self.ldb_admin.newuser("testuser6", "samba123@")
199 # User 7 - Domain Admins and Schema Admins
200 self.ldb_admin.newuser("testuser7", "samba123@")
201 # User 5 - Enterprise Admins and Schema Admins
202 self.ldb_admin.newuser("testuser8", "samba123@")
204 self.ldb_admin.add_remove_group_members("Enterprise Admins",
205 ["testuser1", "testuser5", "testuser6", "testuser8"],
206 add_members_operation=True)
207 self.ldb_admin.add_remove_group_members("Domain Admins",
208 ["testuser2","testuser5","testuser6","testuser7"],
209 add_members_operation=True)
210 self.ldb_admin.add_remove_group_members("Schema Admins",
211 ["testuser3","testuser6","testuser7","testuser8"],
212 add_members_operation=True)
215 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
216 "ds_behavior_win2003" : {
266 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
267 "ds_behavior_win2008" : {
318 # Discover 'domainControllerFunctionality'
319 res = self.ldb_admin.search(base="", scope=SCOPE_BASE,
320 attrs=['domainControllerFunctionality'])
321 res = int(res[0]['domainControllerFunctionality'][0])
322 if res < DS_DOMAIN_FUNCTION_2008:
323 self.DS_BEHAVIOR = "ds_behavior_win2003"
325 self.DS_BEHAVIOR = "ds_behavior_win2008"
328 super(DescriptorTests, self).tearDown()
331 def check_user_belongs(self, user_dn, groups=[]):
332 """ Test wether user is member of the expected group(s) """
334 # User is member of at least one additional group
335 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
336 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
339 expected.append(self.get_users_domain_dn(x))
340 expected = [x.upper() for x in sorted(expected)]
341 self.assertEqual(expected, res)
343 # User is not a member of any additional groups but default
344 res = self.ldb_admin.search(user_dn, attrs=["*"])
345 res = [x.upper() for x in res[0].keys()]
346 self.assertFalse( "MEMBEROF" in res)
348 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
350 sd_user_utils = sd_utils.SDUtils(_ldb)
351 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
352 if owner_group != "":
353 sd_user_utils.modify_sd_on_dn(object_dn, owner_group + "D:" + ace)
355 sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace)
356 # Make sure the modify operation has been applied
357 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
358 self.assertTrue(ace in desc_sddl)
359 # Make sure we have identical result for both "add" and "modify"
360 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
361 print self._testMethodName
362 test_number = self._testMethodName[5:]
363 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
366 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
368 user_name = "testuser1"
369 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
370 # Open Ldb connection with the tested user
371 _ldb = self.get_ldb_connection(user_name, "samba123@")
372 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
373 delete_force(self.ldb_admin, object_dn)
374 _ldb.newgroup("test_domain_group1", grouptype=4)
375 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
376 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
377 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
378 self.check_modify_inheritance(_ldb, object_dn)
381 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
383 user_name = "testuser2"
384 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
385 # Open Ldb connection with the tested user
386 _ldb = self.get_ldb_connection(user_name, "samba123@")
387 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
388 delete_force(self.ldb_admin, object_dn)
389 _ldb.newgroup("test_domain_group1", grouptype=4)
390 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
391 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
392 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
393 self.check_modify_inheritance(_ldb, object_dn)
396 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
398 user_name = "testuser3"
399 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
400 # Open Ldb connection with the tested user
401 _ldb = self.get_ldb_connection(user_name, "samba123@")
402 object_dn = "OU=test_domain_ou1," + self.base_dn
403 delete_force(self.ldb_admin, object_dn)
404 self.ldb_admin.create_ou(object_dn)
405 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
406 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
407 self.sd_utils.dacl_add_ace(object_dn, mod)
408 # Create additional object into the first one
409 object_dn = "CN=test_domain_user1," + object_dn
410 delete_force(self.ldb_admin, object_dn)
411 _ldb.newuser("test_domain_user1", "samba123@",
412 userou="OU=test_domain_ou1", setpassword=False)
413 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
414 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
415 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
416 # This fails, research why
417 #self.check_modify_inheritance(_ldb, object_dn)
420 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
422 user_name = "testuser4"
423 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
424 # Open Ldb connection with the tested user
425 _ldb = self.get_ldb_connection(user_name, "samba123@")
426 object_dn = "OU=test_domain_ou1," + self.base_dn
427 delete_force(self.ldb_admin, object_dn)
428 self.ldb_admin.create_ou(object_dn)
429 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
430 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
431 self.sd_utils.dacl_add_ace(object_dn, mod)
432 # Create additional object into the first one
433 object_dn = "CN=test_domain_user1," + object_dn
434 delete_force(self.ldb_admin, object_dn)
435 _ldb.newuser("test_domain_user1", "samba123@",
436 userou="OU=test_domain_ou1", setpassword=False)
437 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
438 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
439 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
440 #this fails, research why
441 #self.check_modify_inheritance(_ldb, object_dn)
444 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
446 user_name = "testuser5"
447 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
448 # Open Ldb connection with the tested user
449 _ldb = self.get_ldb_connection(user_name, "samba123@")
450 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
451 delete_force(self.ldb_admin, object_dn)
452 _ldb.newgroup("test_domain_group1", grouptype=4)
453 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
454 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
455 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
456 self.check_modify_inheritance(_ldb, object_dn)
459 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
461 user_name = "testuser6"
462 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
463 # Open Ldb connection with the tested user
464 _ldb = self.get_ldb_connection(user_name, "samba123@")
465 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
466 delete_force(self.ldb_admin, object_dn)
467 _ldb.newgroup("test_domain_group1", grouptype=4)
468 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
469 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
470 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
471 self.check_modify_inheritance(_ldb, object_dn)
474 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
476 user_name = "testuser7"
477 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
478 # Open Ldb connection with the tested user
479 _ldb = self.get_ldb_connection(user_name, "samba123@")
480 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
481 delete_force(self.ldb_admin, object_dn)
482 _ldb.newgroup("test_domain_group1", grouptype=4)
483 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
484 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
485 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
486 self.check_modify_inheritance(_ldb, object_dn)
489 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
491 user_name = "testuser8"
492 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
493 # Open Ldb connection with the tested user
494 _ldb = self.get_ldb_connection(user_name, "samba123@")
495 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
496 delete_force(self.ldb_admin, object_dn)
497 _ldb.newgroup("test_domain_group1", grouptype=4)
498 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
499 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
500 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
501 self.check_modify_inheritance(_ldb, object_dn)
503 # Control descriptor tests #####################################################################
506 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
508 user_name = "testuser1"
509 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
510 # Open Ldb connection with the tested user
511 _ldb = self.get_ldb_connection(user_name, "samba123@")
512 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
513 delete_force(self.ldb_admin, object_dn)
514 # Create a custom security descriptor
515 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
516 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
517 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
518 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
519 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
520 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
523 """ Domain admin group member creates object (custom descriptor) in DOMAIN
525 user_name = "testuser2"
526 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
527 # Open Ldb connection with the tested user
528 _ldb = self.get_ldb_connection(user_name, "samba123@")
529 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
530 delete_force(self.ldb_admin, object_dn)
531 # Create a custom security descriptor
532 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
533 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
534 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
535 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
536 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
537 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
540 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
542 user_name = "testuser3"
543 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
544 # Open Ldb connection with the tested user
545 _ldb = self.get_ldb_connection(user_name, "samba123@")
546 object_dn = "OU=test_domain_ou1," + self.base_dn
547 delete_force(self.ldb_admin, object_dn)
548 self.ldb_admin.create_ou(object_dn)
549 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
550 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
551 self.sd_utils.dacl_add_ace(object_dn, mod)
552 # Create a custom security descriptor
553 # NB! Problematic owner part won't accept DA only <User Sid> !!!
554 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
555 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
556 # Create additional object into the first one
557 object_dn = "CN=test_domain_user1," + object_dn
558 delete_force(self.ldb_admin, object_dn)
559 _ldb.newuser("test_domain_user1", "samba123@",
560 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
561 desc = self.sd_utils.read_sd_on_dn(object_dn)
562 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
563 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
564 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
567 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
569 user_name = "testuser4"
570 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
571 # Open Ldb connection with the tested user
572 _ldb = self.get_ldb_connection(user_name, "samba123@")
573 object_dn = "OU=test_domain_ou1," + self.base_dn
574 delete_force(self.ldb_admin, object_dn)
575 self.ldb_admin.create_ou(object_dn)
576 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
577 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
578 self.sd_utils.dacl_add_ace(object_dn, mod)
579 # Create a custom security descriptor
580 # NB! Problematic owner part won't accept DA only <User Sid> !!!
581 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
582 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
583 # Create additional object into the first one
584 object_dn = "CN=test_domain_user1," + object_dn
585 delete_force(self.ldb_admin, object_dn)
586 _ldb.newuser("test_domain_user1", "samba123@",
587 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
588 desc = self.sd_utils.read_sd_on_dn(object_dn)
589 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
590 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
591 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
594 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
596 user_name = "testuser5"
597 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
598 # Open Ldb connection with the tested user
599 _ldb = self.get_ldb_connection(user_name, "samba123@")
600 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
601 delete_force(self.ldb_admin, object_dn)
602 # Create a custom security descriptor
603 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
604 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
605 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
606 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
607 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
608 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
611 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
613 user_name = "testuser6"
614 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
615 # Open Ldb connection with the tested user
616 _ldb = self.get_ldb_connection(user_name, "samba123@")
617 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
618 delete_force(self.ldb_admin, object_dn)
619 # Create a custom security descriptor
620 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
621 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
622 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
623 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
624 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
625 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
628 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
630 user_name = "testuser7"
631 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
632 # Open Ldb connection with the tested user
633 _ldb = self.get_ldb_connection(user_name, "samba123@")
634 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
635 delete_force(self.ldb_admin, object_dn)
636 # Create a custom security descriptor
637 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
638 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
639 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
640 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
641 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
642 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
645 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
647 user_name = "testuser8"
648 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
649 # Open Ldb connection with the tested user
650 _ldb = self.get_ldb_connection(user_name, "samba123@")
651 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
652 delete_force(self.ldb_admin, object_dn)
653 # Create a custom security descriptor
654 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
655 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
656 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
657 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
658 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
659 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
662 user_name = "Administrator"
663 object_dn = "OU=test_domain_ou1," + self.base_dn
664 delete_force(self.ldb_admin, object_dn)
665 self.ldb_admin.create_ou(object_dn)
666 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
667 mod = "(D;CI;WP;;;S-1-3-0)"
669 self.sd_utils.dacl_add_ace(object_dn, mod)
670 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
671 # Create additional object into the first one
672 object_dn = "OU=test_domain_ou2," + object_dn
673 delete_force(self.ldb_admin, object_dn)
674 self.ldb_admin.create_ou(object_dn)
675 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
679 # Defalt descriptor tests ##################################################################
682 user_name = "testuser1"
683 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
684 # Open Ldb connection with the tested user
685 _ldb = self.get_ldb_connection(user_name, "samba123@")
686 # Change Schema partition descriptor
687 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
688 mod = "(A;;WDCC;;;AU)"
689 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
690 # Create example Schema class
691 class_name = self.get_unique_schema_class_name()
692 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
693 self.create_schema_class(_ldb, class_dn)
694 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
695 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
696 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
697 self.check_modify_inheritance(_ldb, class_dn)
700 user_name = "testuser2"
701 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
702 # Open Ldb connection with the tested user
703 _ldb = self.get_ldb_connection(user_name, "samba123@")
704 # Change Schema partition descriptor
705 mod = "(A;CI;WDCC;;;AU)"
706 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
707 # Create example Schema class
708 class_name = self.get_unique_schema_class_name()
709 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
710 self.create_schema_class(_ldb, class_dn)
711 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
712 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
713 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
714 self.check_modify_inheritance(_ldb, class_dn)
717 user_name = "testuser3"
718 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
719 # Open Ldb connection with the tested user
720 _ldb = self.get_ldb_connection(user_name, "samba123@")
721 # Change Schema partition descriptor
722 mod = "(A;CI;WDCC;;;AU)"
723 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
724 # Create example Schema class
725 class_name = self.get_unique_schema_class_name()
726 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
727 self.create_schema_class(_ldb, class_dn)
728 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
729 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
730 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
731 #self.check_modify_inheritance(_ldb, class_dn)
734 user_name = "testuser4"
735 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
736 # Open Ldb connection with the tested user
737 _ldb = self.get_ldb_connection(user_name, "samba123@")
738 #Change Schema partition descriptor
739 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
740 mod = "(A;CI;WDCC;;;AU)"
741 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
742 # Create example Schema class
743 class_name = self.get_unique_schema_class_name()
744 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
745 self.create_schema_class(_ldb, class_dn)
746 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
747 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
748 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
749 #self.check_modify_inheritance(_ldb, class_dn)
752 user_name = "testuser5"
753 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
754 # Open Ldb connection with the tested user
755 _ldb = self.get_ldb_connection(user_name, "samba123@")
756 #Change Schema partition descriptor
757 mod = "(A;CI;WDCC;;;AU)"
758 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
759 # Create example Schema class
760 class_name = self.get_unique_schema_class_name()
761 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
762 self.create_schema_class(_ldb, class_dn)
763 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
764 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
765 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
766 self.check_modify_inheritance(_ldb, class_dn)
769 user_name = "testuser6"
770 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
771 # Open Ldb connection with the tested user
772 _ldb = self.get_ldb_connection(user_name, "samba123@")
773 # Change Schema partition descriptor
774 mod = "(A;CI;WDCC;;;AU)"
775 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
776 # Create example Schema class
777 class_name = self.get_unique_schema_class_name()
778 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
779 self.create_schema_class(_ldb, class_dn)
780 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
781 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
782 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
783 self.check_modify_inheritance(_ldb, class_dn)
786 user_name = "testuser7"
787 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
788 # Open Ldb connection with the tested user
789 _ldb = self.get_ldb_connection(user_name, "samba123@")
790 # Change Schema partition descriptor
791 mod = "(A;CI;WDCC;;;AU)"
792 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
793 # Create example Schema class
794 class_name = self.get_unique_schema_class_name()
795 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
796 self.create_schema_class(_ldb, class_dn)
797 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
798 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
799 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
800 self.check_modify_inheritance(_ldb, class_dn)
803 user_name = "testuser8"
804 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
805 # Open Ldb connection with the tested user
806 _ldb = self.get_ldb_connection(user_name, "samba123@")
807 # Change Schema partition descriptor
808 mod = "(A;CI;WDCC;;;AU)"
809 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
810 # Create example Schema class
811 class_name = self.get_unique_schema_class_name()
812 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
813 self.create_schema_class(_ldb, class_dn)
814 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
815 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
816 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
817 self.check_modify_inheritance(_ldb, class_dn)
819 # Custom descriptor tests ##################################################################
822 user_name = "testuser1"
823 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
824 # Open Ldb connection with the tested user
825 _ldb = self.get_ldb_connection(user_name, "samba123@")
826 # Change Schema partition descriptor
828 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
829 # Create a custom security descriptor
830 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
831 # Create example Schema class
832 class_name = self.get_unique_schema_class_name()
833 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
834 self.create_schema_class(_ldb, class_dn, desc_sddl)
835 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
836 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
837 self.assertEqual("O:DAG:DA", res)
840 user_name = "testuser2"
841 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
842 # Open Ldb connection with the tested user
843 _ldb = self.get_ldb_connection(user_name, "samba123@")
844 # Change Schema partition descriptor
846 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
847 # Create a custom security descriptor
848 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
849 # Create example Schema class
850 class_name = self.get_unique_schema_class_name()
851 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
852 self.create_schema_class(_ldb, class_dn, desc_sddl)
853 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
854 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
855 self.assertEqual("O:DAG:DA", res)
858 user_name = "testuser3"
859 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
860 # Open Ldb connection with the tested user
861 _ldb = self.get_ldb_connection(user_name, "samba123@")
862 # Create a custom security descriptor
863 # NB! Problematic owner part won't accept DA only <User Sid> !!!
864 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
865 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
866 # Create example Schema class
867 class_name = self.get_unique_schema_class_name()
868 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
869 self.create_schema_class(_ldb, class_dn, desc_sddl)
870 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
871 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
872 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
875 user_name = "testuser4"
876 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
877 # Open Ldb connection with the tested user
878 _ldb = self.get_ldb_connection(user_name, "samba123@")
879 # Create a custom security descriptor
880 # NB! Problematic owner part won't accept DA only <User Sid> !!!
881 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
882 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
883 # Create example Schema class
884 class_name = self.get_unique_schema_class_name()
885 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
886 self.create_schema_class(_ldb, class_dn, desc_sddl)
887 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
888 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
889 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
892 user_name = "testuser5"
893 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
894 # Open Ldb connection with the tested user
895 _ldb = self.get_ldb_connection(user_name, "samba123@")
896 # Change Schema partition descriptor
898 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
899 # Create a custom security descriptor
900 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
901 # Create example Schema class
902 class_name = self.get_unique_schema_class_name()
903 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
904 self.create_schema_class(_ldb, class_dn, desc_sddl)
905 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
906 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
907 self.assertEqual("O:DAG:DA", res)
910 user_name = "testuser6"
911 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
912 # Open Ldb connection with the tested user
913 _ldb = self.get_ldb_connection(user_name, "samba123@")
914 # Change Schema partition descriptor
916 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
917 # Create a custom security descriptor
918 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
919 # Create example Schema class
920 class_name = self.get_unique_schema_class_name()
921 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
922 self.create_schema_class(_ldb, class_dn, desc_sddl)
923 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
924 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
925 self.assertEqual("O:DAG:DA", res)
928 user_name = "testuser7"
929 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
930 # Open Ldb connection with the tested user
931 _ldb = self.get_ldb_connection(user_name, "samba123@")
932 # Change Schema partition descriptor
934 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
935 # Create a custom security descriptor
936 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
937 # Create example Schema class
938 class_name = self.get_unique_schema_class_name()
939 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
940 self.create_schema_class(_ldb, class_dn, desc_sddl)
941 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
942 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
943 self.assertEqual("O:DAG:DA", res)
946 user_name = "testuser8"
947 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
948 # Open Ldb connection with the tested user
949 _ldb = self.get_ldb_connection(user_name, "samba123@")
950 # Change Schema partition descriptor
952 self.sd_utils.dacl_add_ace(self.schema_dn, mod)
953 # Create a custom security descriptor
954 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
955 # Create example Schema class
956 class_name = self.get_unique_schema_class_name()
957 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
958 self.create_schema_class(_ldb, class_dn, desc_sddl)
959 desc_sddl = self.sd_utils.get_sd_as_sddl(class_dn)
960 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
961 self.assertEqual("O:DAG:DA", res)
963 ## Tests for CONFIGURATION
965 # Defalt descriptor tests ##################################################################
968 user_name = "testuser1"
969 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
970 # Open Ldb connection with the tested user
971 _ldb = self.get_ldb_connection(user_name, "samba123@")
972 # Create example Configuration container
973 container_name = "test-container1"
974 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
975 delete_force(self.ldb_admin, object_dn)
976 self.create_configuration_container(_ldb, object_dn, )
977 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
978 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
979 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
980 self.check_modify_inheritance(_ldb, object_dn)
983 user_name = "testuser2"
984 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
985 # Open Ldb connection with the tested user
986 _ldb = self.get_ldb_connection(user_name, "samba123@")
987 # Create example Configuration container
988 container_name = "test-container1"
989 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
990 delete_force(self.ldb_admin, object_dn)
991 self.create_configuration_container(_ldb, object_dn, )
992 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
993 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
994 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
995 self.check_modify_inheritance(_ldb, object_dn)
998 user_name = "testuser3"
999 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1000 # Open Ldb connection with the tested user
1001 _ldb = self.get_ldb_connection(user_name, "samba123@")
1002 # Create example Configuration container
1003 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1004 delete_force(self.ldb_admin, object_dn)
1005 self.create_configuration_container(self.ldb_admin, object_dn, )
1006 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1007 mod = "(A;;WDCC;;;AU)"
1008 self.sd_utils.dacl_add_ace(object_dn, mod)
1009 # Create child object with user's credentials
1010 object_dn = "CN=test-specifier1," + object_dn
1011 delete_force(self.ldb_admin, object_dn)
1012 self.create_configuration_specifier(_ldb, object_dn)
1013 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1014 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1015 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1016 #self.check_modify_inheritance(_ldb, object_dn)
1019 user_name = "testuser4"
1020 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1021 # Open Ldb connection with the tested user
1022 _ldb = self.get_ldb_connection(user_name, "samba123@")
1023 # Create example Configuration container
1024 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1025 delete_force(self.ldb_admin, object_dn)
1026 self.create_configuration_container(self.ldb_admin, object_dn, )
1027 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1028 mod = "(A;CI;WDCC;;;AU)"
1029 self.sd_utils.dacl_add_ace(object_dn, mod)
1030 # Create child object with user's credentials
1031 object_dn = "CN=test-specifier1," + object_dn
1032 delete_force(self.ldb_admin, object_dn)
1033 self.create_configuration_specifier(_ldb, object_dn)
1034 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1035 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1036 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1037 #self.check_modify_inheritance(_ldb, object_dn)
1040 user_name = "testuser5"
1041 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1042 # Open Ldb connection with the tested user
1043 _ldb = self.get_ldb_connection(user_name, "samba123@")
1044 # Create example Configuration container
1045 container_name = "test-container1"
1046 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1047 delete_force(self.ldb_admin, object_dn)
1048 self.create_configuration_container(_ldb, object_dn, )
1049 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1050 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1051 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1052 self.check_modify_inheritance(_ldb, object_dn)
1055 user_name = "testuser6"
1056 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1057 # Open Ldb connection with the tested user
1058 _ldb = self.get_ldb_connection(user_name, "samba123@")
1059 # Create example Configuration container
1060 container_name = "test-container1"
1061 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1062 delete_force(self.ldb_admin, object_dn)
1063 self.create_configuration_container(_ldb, object_dn, )
1064 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1065 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1066 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1067 self.check_modify_inheritance(_ldb, object_dn)
1070 user_name = "testuser7"
1071 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1072 # Open Ldb connection with the tested user
1073 _ldb = self.get_ldb_connection(user_name, "samba123@")
1074 # Create example Configuration container
1075 container_name = "test-container1"
1076 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1077 delete_force(self.ldb_admin, object_dn)
1078 self.create_configuration_container(_ldb, object_dn, )
1079 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1080 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1081 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1082 self.check_modify_inheritance(_ldb, object_dn)
1085 user_name = "testuser8"
1086 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1087 # Open Ldb connection with the tested user
1088 _ldb = self.get_ldb_connection(user_name, "samba123@")
1089 # Create example Configuration container
1090 container_name = "test-container1"
1091 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1092 delete_force(self.ldb_admin, object_dn)
1093 self.create_configuration_container(_ldb, object_dn, )
1094 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1095 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1096 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1097 self.check_modify_inheritance(_ldb, object_dn)
1099 # Custom descriptor tests ##################################################################
1102 user_name = "testuser1"
1103 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1104 # Open Ldb connection with the tested user
1105 _ldb = self.get_ldb_connection(user_name, "samba123@")
1106 # Create example Configuration container
1107 container_name = "test-container1"
1108 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1109 delete_force(self.ldb_admin, object_dn)
1110 # Create a custom security descriptor
1111 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1112 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1113 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1114 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1115 self.assertEqual("O:DAG:DA", res)
1118 user_name = "testuser2"
1119 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1120 # Open Ldb connection with the tested user
1121 _ldb = self.get_ldb_connection(user_name, "samba123@")
1122 # Create example Configuration container
1123 container_name = "test-container1"
1124 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1125 delete_force(self.ldb_admin, object_dn)
1126 # Create a custom security descriptor
1127 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1128 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1129 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1130 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1131 self.assertEqual("O:DAG:DA", res)
1134 user_name = "testuser3"
1135 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1136 # Open Ldb connection with the tested user
1137 _ldb = self.get_ldb_connection(user_name, "samba123@")
1138 # Create example Configuration container
1139 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1140 delete_force(self.ldb_admin, object_dn)
1141 self.create_configuration_container(self.ldb_admin, object_dn, )
1142 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1143 mod = "(A;;CC;;;AU)"
1144 self.sd_utils.dacl_add_ace(object_dn, mod)
1145 # Create child object with user's credentials
1146 object_dn = "CN=test-specifier1," + object_dn
1147 delete_force(self.ldb_admin, object_dn)
1148 # Create a custom security descriptor
1149 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1150 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1151 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1152 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1153 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1154 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1157 user_name = "testuser4"
1158 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1159 # Open Ldb connection with the tested user
1160 _ldb = self.get_ldb_connection(user_name, "samba123@")
1161 # Create example Configuration container
1162 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1163 delete_force(self.ldb_admin, object_dn)
1164 self.create_configuration_container(self.ldb_admin, object_dn, )
1165 user_sid = self.sd_utils.get_object_sid( self.get_users_domain_dn(user_name) )
1166 mod = "(A;;CC;;;AU)"
1167 self.sd_utils.dacl_add_ace(object_dn, mod)
1168 # Create child object with user's credentials
1169 object_dn = "CN=test-specifier1," + object_dn
1170 delete_force(self.ldb_admin, object_dn)
1171 # Create a custom security descriptor
1172 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1173 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1174 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1175 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1176 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1177 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1180 user_name = "testuser5"
1181 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1182 # Open Ldb connection with the tested user
1183 _ldb = self.get_ldb_connection(user_name, "samba123@")
1184 # Create example Configuration container
1185 container_name = "test-container1"
1186 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1187 delete_force(self.ldb_admin, object_dn)
1188 # Create a custom security descriptor
1189 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1190 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1191 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1192 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1193 self.assertEqual("O:DAG:DA", res)
1196 user_name = "testuser6"
1197 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1198 # Open Ldb connection with the tested user
1199 _ldb = self.get_ldb_connection(user_name, "samba123@")
1200 # Create example Configuration container
1201 container_name = "test-container1"
1202 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1203 delete_force(self.ldb_admin, object_dn)
1204 # Create a custom security descriptor
1205 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1206 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1207 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1208 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1209 self.assertEqual("O:DAG:DA", res)
1212 user_name = "testuser7"
1213 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1214 # Open Ldb connection with the tested user
1215 _ldb = self.get_ldb_connection(user_name, "samba123@")
1216 # Create example Configuration container
1217 container_name = "test-container1"
1218 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1219 delete_force(self.ldb_admin, object_dn)
1220 # Create a custom security descriptor
1221 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1222 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1223 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1224 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1225 self.assertEqual("O:DAG:DA", res)
1228 user_name = "testuser8"
1229 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1230 # Open Ldb connection with the tested user
1231 _ldb = self.get_ldb_connection(user_name, "samba123@")
1232 # Create example Configuration container
1233 container_name = "test-container1"
1234 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1235 delete_force(self.ldb_admin, object_dn)
1236 # Create a custom security descriptor
1237 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1238 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1239 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1240 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1241 self.assertEqual("O:DAG:DA", res)
1243 ########################################################################################
1244 # Inheritance tests for DACL
1246 class DaclDescriptorTests(DescriptorTests):
1248 def deleteAll(self):
1249 delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1250 delete_force(self.ldb_admin, "OU=test_inherit_ou5,OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1251 delete_force(self.ldb_admin, "OU=test_inherit_ou6,OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1252 delete_force(self.ldb_admin, "OU=test_inherit_ou1,OU=test_inherit_ou_p," + self.base_dn)
1253 delete_force(self.ldb_admin, "OU=test_inherit_ou2,OU=test_inherit_ou_p," + self.base_dn)
1254 delete_force(self.ldb_admin, "OU=test_inherit_ou3,OU=test_inherit_ou_p," + self.base_dn)
1255 delete_force(self.ldb_admin, "OU=test_inherit_ou4,OU=test_inherit_ou_p," + self.base_dn)
1256 delete_force(self.ldb_admin, "OU=test_inherit_ou_p," + self.base_dn)
1257 delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1260 super(DaclDescriptorTests, self).setUp()
1263 def create_clean_ou(self, object_dn):
1264 """ Base repeating setup for unittests to follow """
1265 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1266 expression="distinguishedName=%s" % object_dn)
1267 # Make sure top testing OU has been deleted before starting the test
1268 self.assertEqual(len(res), 0)
1269 self.ldb_admin.create_ou(object_dn)
1270 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1271 # Make sure there are inheritable ACEs initially
1272 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1273 # Find and remove all inherit ACEs
1274 res = re.findall("\(.*?\)", desc_sddl)
1275 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1277 desc_sddl = desc_sddl.replace(x, "")
1278 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1279 # can propagate from above
1280 # remove SACL, we are not interested
1281 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1282 self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl)
1283 # Verify all inheritable ACEs are gone
1284 desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn)
1285 self.assertFalse("CI" in desc_sddl)
1286 self.assertFalse("OI" in desc_sddl)
1289 """ OU with protected flag and child group. See if the group has inherit ACEs.
1291 ou_dn = "OU=test_inherit_ou," + self.base_dn
1292 group_dn = "CN=test_inherit_group," + ou_dn
1293 # Create inheritable-free OU
1294 self.create_clean_ou(ou_dn)
1295 # Create group child object
1296 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1297 # Make sure created group object contains NO inherit ACEs
1298 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1299 self.assertFalse("ID" in desc_sddl)
1302 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1303 Verify group has custom and default ACEs only.
1305 ou_dn = "OU=test_inherit_ou," + self.base_dn
1306 group_dn = "CN=test_inherit_group," + ou_dn
1307 # Create inheritable-free OU
1308 self.create_clean_ou(ou_dn)
1309 # Create group child object using custom security descriptor
1310 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1311 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1312 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1313 # Make sure created group descriptor has NO additional ACEs
1314 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1315 self.assertEqual(desc_sddl, sddl)
1316 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1317 self.sd_utils.modify_sd_on_dn(group_dn, sddl)
1318 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1319 self.assertEqual(desc_sddl, sddl)
1322 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1323 See if the group has any of the added ACEs.
1325 ou_dn = "OU=test_inherit_ou," + self.base_dn
1326 group_dn = "CN=test_inherit_group," + ou_dn
1327 # Create inheritable-free OU
1328 self.create_clean_ou(ou_dn)
1329 # Add some custom non-inheritable ACEs
1330 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1331 moded = "(D;;CC;;;LG)"
1332 self.sd_utils.dacl_add_ace(ou_dn, mod)
1333 # Verify all inheritable ACEs are gone
1334 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1335 # Create group child object
1336 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1337 # Make sure created group object contains NO inherit ACEs
1338 # also make sure the added above non-inheritable ACEs are absent too
1339 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1340 self.assertFalse("ID" in desc_sddl)
1341 for x in re.findall("\(.*?\)", mod):
1342 self.assertFalse(x in desc_sddl)
1343 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1344 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1345 self.assertFalse("ID" in desc_sddl)
1346 for x in re.findall("\(.*?\)", mod):
1347 self.assertFalse(x in desc_sddl)
1350 """ OU with protected flag and add 'CI' ACE, child group.
1351 See if the group has the added inherited ACE.
1353 ou_dn = "OU=test_inherit_ou," + self.base_dn
1354 group_dn = "CN=test_inherit_group," + ou_dn
1355 # Create inheritable-free OU
1356 self.create_clean_ou(ou_dn)
1357 # Add some custom 'CI' ACE
1358 mod = "(D;CI;WP;;;DU)"
1359 moded = "(D;;CC;;;LG)"
1360 self.sd_utils.dacl_add_ace(ou_dn, mod)
1361 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1362 # Create group child object
1363 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1364 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1365 # Make sure created group object contains only the above inherited ACE
1366 # that we've added manually
1367 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1368 mod = mod.replace(";CI;", ";CIID;")
1369 self.assertTrue(mod in desc_sddl)
1370 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1371 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1372 self.assertTrue(moded in desc_sddl)
1373 self.assertTrue(mod in desc_sddl)
1376 """ OU with protected flag and add 'OI' ACE, child group.
1377 See if the group has the added inherited ACE.
1379 ou_dn = "OU=test_inherit_ou," + self.base_dn
1380 group_dn = "CN=test_inherit_group," + ou_dn
1381 # Create inheritable-free OU
1382 self.create_clean_ou(ou_dn)
1383 # Add some custom 'CI' ACE
1384 mod = "(D;OI;WP;;;DU)"
1385 moded = "(D;;CC;;;LG)"
1386 self.sd_utils.dacl_add_ace(ou_dn, mod)
1387 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1388 # Create group child object
1389 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1390 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1391 # Make sure created group object contains only the above inherited ACE
1392 # that we've added manually
1393 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1394 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1395 self.assertTrue(mod in desc_sddl)
1396 self.sd_utils.modify_sd_on_dn(group_dn, "D:" +moded)
1397 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1398 self.assertTrue(moded in desc_sddl)
1399 self.assertTrue(mod in desc_sddl)
1402 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1403 See if the group has the added inherited ACE.
1405 ou_dn = "OU=test_inherit_ou," + self.base_dn
1406 group_dn = "CN=test_inherit_group," + ou_dn
1407 # Create inheritable-free OU
1408 self.create_clean_ou(ou_dn)
1409 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1410 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1411 moded = "(D;;CC;;;LG)"
1412 self.sd_utils.dacl_add_ace(ou_dn, mod)
1413 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1414 # Create group child object
1415 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1416 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1417 # Make sure created group object contains only the above inherited ACE
1418 # that we've added manually
1419 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1420 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1421 self.assertTrue(mod in desc_sddl)
1422 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1423 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1424 self.assertTrue(moded in desc_sddl)
1425 self.assertTrue(mod in desc_sddl)
1428 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1429 See if the group has the added inherited ACE.
1431 ou_dn = "OU=test_inherit_ou," + self.base_dn
1432 group_dn = "CN=test_inherit_group," + ou_dn
1433 # Create inheritable-free OU
1434 self.create_clean_ou(ou_dn)
1435 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1436 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1437 moded = "(D;;CC;;;LG)"
1438 self.sd_utils.dacl_add_ace(ou_dn, mod)
1439 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1440 # Create group child object
1441 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1442 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1443 # Make sure created group object contains only the above inherited ACE
1444 # that we've added manually
1445 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1446 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1447 self.assertTrue(mod in desc_sddl)
1448 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1449 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1450 self.assertTrue(moded in desc_sddl)
1451 self.assertTrue(mod in desc_sddl)
1454 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1455 See if the group has the added inherited ACE.
1457 ou_dn = "OU=test_inherit_ou," + self.base_dn
1458 group_dn = "CN=test_inherit_group," + ou_dn
1459 # Create inheritable-free OU
1460 self.create_clean_ou(ou_dn)
1461 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1462 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1463 moded = "(D;;CC;;;LG)"
1464 self.sd_utils.dacl_add_ace(ou_dn, mod)
1465 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1466 # Create group child object
1467 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1468 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1469 # Make sure created group object contains only the above inherited ACE
1470 # that we've added manually
1471 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1472 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1473 self.assertTrue(mod in desc_sddl)
1474 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1475 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1476 self.assertTrue(moded in desc_sddl)
1477 self.assertTrue(mod in desc_sddl)
1480 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1481 See if the group has the added inherited ACE.
1483 ou_dn = "OU=test_inherit_ou," + self.base_dn
1484 group_dn = "CN=test_inherit_group," + ou_dn
1485 # Create inheritable-free OU
1486 self.create_clean_ou(ou_dn)
1487 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1488 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1489 moded = "(D;;CC;;;LG)"
1490 self.sd_utils.dacl_add_ace(ou_dn, mod)
1491 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1492 # Create group child object
1493 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1494 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1495 # Make sure created group object contains only the above inherited ACE
1496 # that we've added manually
1497 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1498 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1499 self.assertTrue(mod in desc_sddl)
1500 self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1501 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1502 self.assertTrue(moded in desc_sddl)
1503 self.assertTrue(mod in desc_sddl)
1506 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1507 See if the group has the added inherited ACE.
1509 ou_dn = "OU=test_inherit_ou," + self.base_dn
1510 group_dn = "CN=test_inherit_group," + ou_dn
1511 # Create inheritable-free OU
1512 self.create_clean_ou(ou_dn)
1513 # Add some custom 'CI' ACE
1514 mod = "(D;CI;WP;;;CO)"
1515 moded = "(D;;CC;;;LG)"
1516 self.sd_utils.dacl_add_ace(ou_dn, mod)
1517 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1518 # Create group child object
1519 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1520 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1521 # Make sure created group object contains only the above inherited ACE(s)
1522 # that we've added manually
1523 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1524 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1525 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1526 self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
1527 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1528 self.assertTrue(moded in desc_sddl)
1529 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1530 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1533 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1535 ou_dn = "OU=test_inherit_ou," + self.base_dn
1536 group_dn = "CN=test_inherit_group," + ou_dn
1537 self.create_clean_ou(ou_dn)
1538 # Add some custom ACE
1539 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1540 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1541 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1542 # Make sure created group object does not contain the ID ace
1543 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1544 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1547 """ Provide ACE with CO SID, should be expanded and replaced
1549 ou_dn = "OU=test_inherit_ou," + self.base_dn
1550 group_dn = "CN=test_inherit_group," + ou_dn
1551 # Create inheritable-free OU
1552 self.create_clean_ou(ou_dn)
1553 # Add some custom 'CI' ACE
1554 mod = "D:(D;CI;WP;;;CO)"
1555 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1556 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1557 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1558 self.assertTrue("(D;;WP;;;DA)" in desc_sddl)
1559 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1562 """ Provide ACE with IO flag, should be ignored
1564 ou_dn = "OU=test_inherit_ou," + self.base_dn
1565 group_dn = "CN=test_inherit_group," + ou_dn
1566 # Create inheritable-free OU
1567 self.create_clean_ou(ou_dn)
1568 # Add some custom 'CI' ACE
1569 mod = "D:(D;CIIO;WP;;;CO)"
1570 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1571 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1572 # Make sure created group object contains only the above inherited ACE(s)
1573 # that we've added manually
1574 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1575 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1576 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1577 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1580 """ Provide ACE with IO flag, should be ignored
1582 ou_dn = "OU=test_inherit_ou," + self.base_dn
1583 group_dn = "CN=test_inherit_group," + ou_dn
1584 # Create inheritable-free OU
1585 self.create_clean_ou(ou_dn)
1586 mod = "D:(D;IO;WP;;;DA)"
1587 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1588 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1589 # Make sure created group object contains only the above inherited ACE(s)
1590 # that we've added manually
1591 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1592 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1595 """ Test behavior of ACEs containing generic rights
1597 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1598 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1599 ou_dn2 = "OU=test_inherit_ou2," + ou_dn
1600 ou_dn3 = "OU=test_inherit_ou3," + ou_dn
1601 ou_dn4 = "OU=test_inherit_ou4," + ou_dn
1602 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1603 ou_dn6 = "OU=test_inherit_ou6," + ou_dn2
1604 # Create inheritable-free OU
1605 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1606 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1607 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1608 mod = "D:(A;CI;GA;;;DU)"
1609 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1610 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1611 mod = "D:(A;CIIO;GA;;;DU)"
1612 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1613 self.ldb_admin.create_ou(ou_dn2, sd=tmp_desc)
1614 mod = "D:(A;;GA;;;DU)"
1615 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1616 self.ldb_admin.create_ou(ou_dn3, sd=tmp_desc)
1617 mod = "D:(A;IO;GA;;;DU)"
1618 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1619 self.ldb_admin.create_ou(ou_dn4, sd=tmp_desc)
1621 self.ldb_admin.create_ou(ou_dn5)
1622 self.ldb_admin.create_ou(ou_dn6)
1624 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1)
1625 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1626 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1627 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2)
1628 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1629 self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl)
1630 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3)
1631 self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1632 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1633 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4)
1634 self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1635 self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl)
1636 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1637 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1638 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1639 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6)
1640 self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl)
1641 self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl)
1644 """ Make sure IO flag is removed in child objects
1646 ou_dn = "OU=test_inherit_ou_p," + self.base_dn
1647 ou_dn1 = "OU=test_inherit_ou1," + ou_dn
1648 ou_dn5 = "OU=test_inherit_ou5," + ou_dn1
1649 # Create inheritable-free OU
1650 mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)"
1651 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1652 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1653 mod = "D:(A;CIIO;WP;;;DU)"
1654 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1655 self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc)
1656 self.ldb_admin.create_ou(ou_dn5)
1657 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5)
1658 self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl)
1659 self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl)
1662 """ Make sure ID ACES provided by user are ignored
1664 ou_dn = "OU=test_inherit_ou," + self.base_dn
1665 group_dn = "CN=test_inherit_group," + ou_dn
1666 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1667 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1668 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1669 # Add some custom ACE
1670 mod = "D:(D;ID;WP;;;AU)"
1671 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1672 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1673 # Make sure created group object does not contain the ID ace
1674 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1675 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1676 self.assertFalse("(A;;WP;;;AU)" in desc_sddl)
1679 """ Make sure ID ACES provided by user are not ignored if P flag is set
1681 ou_dn = "OU=test_inherit_ou," + self.base_dn
1682 group_dn = "CN=test_inherit_group," + ou_dn
1683 mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)"
1684 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1685 self.ldb_admin.create_ou(ou_dn, sd=tmp_desc)
1686 # Add some custom ACE
1687 mod = "D:P(A;ID;WP;;;AU)"
1688 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1689 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1690 # Make sure created group object does not contain the ID ace
1691 desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
1692 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1693 self.assertTrue("(A;;WP;;;AU)" in desc_sddl)
1695 ########################################################################################
1698 class SdFlagsDescriptorTests(DescriptorTests):
1699 def deleteAll(self):
1700 delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1703 super(SdFlagsDescriptorTests, self).setUp()
1704 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1708 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1709 See that only the owner has been changed.
1711 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1712 self.ldb_admin.create_ou(ou_dn)
1713 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1714 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1715 # make sure we have modified the owner
1716 self.assertTrue("O:AU" in desc_sddl)
1717 # make sure nothing else has been modified
1718 self.assertFalse("G:AU" in desc_sddl)
1719 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1720 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1723 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1724 See that only the owner has been changed.
1726 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1727 self.ldb_admin.create_ou(ou_dn)
1728 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1729 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1730 # make sure we have modified the group
1731 self.assertTrue("G:AU" in desc_sddl)
1732 # make sure nothing else has been modified
1733 self.assertFalse("O:AU" in desc_sddl)
1734 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1735 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1738 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1739 See that only the owner has been changed.
1741 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1742 self.ldb_admin.create_ou(ou_dn)
1743 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1744 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1745 # make sure we have modified the DACL
1746 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1747 # make sure nothing else has been modified
1748 self.assertFalse("O:AU" in desc_sddl)
1749 self.assertFalse("G:AU" in desc_sddl)
1750 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1753 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1754 See that only the owner has been changed.
1756 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1757 self.ldb_admin.create_ou(ou_dn)
1758 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1759 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1760 # make sure we have modified the DACL
1761 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1762 # make sure nothing else has been modified
1763 self.assertFalse("O:AU" in desc_sddl)
1764 self.assertFalse("G:AU" in desc_sddl)
1765 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1768 """ Modify a descriptor with 0x0 set.
1769 Contrary to logic this is interpreted as no control,
1770 which is the same as 0xF
1772 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1773 self.ldb_admin.create_ou(ou_dn)
1774 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1775 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1776 # make sure we have modified the DACL
1777 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1778 # make sure nothing else has been modified
1779 self.assertTrue("O:AU" in desc_sddl)
1780 self.assertTrue("G:AU" in desc_sddl)
1781 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1784 """ Modify a descriptor with 0xF set.
1786 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1787 self.ldb_admin.create_ou(ou_dn)
1788 self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1789 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
1790 # make sure we have modified the DACL
1791 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1792 # make sure nothing else has been modified
1793 self.assertTrue("O:AU" in desc_sddl)
1794 self.assertTrue("G:AU" in desc_sddl)
1795 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1798 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1799 Only the owner part should be returned.
1801 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1802 self.ldb_admin.create_ou(ou_dn)
1803 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1804 # make sure we have read the owner
1805 self.assertTrue("O:" in desc_sddl)
1806 # make sure we have read nothing else
1807 self.assertFalse("G:" in desc_sddl)
1808 self.assertFalse("D:" in desc_sddl)
1809 self.assertFalse("S:" in desc_sddl)
1812 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1813 Only the group part should be returned.
1815 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1816 self.ldb_admin.create_ou(ou_dn)
1817 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1818 # make sure we have read the owner
1819 self.assertTrue("G:" in desc_sddl)
1820 # make sure we have read nothing else
1821 self.assertFalse("O:" in desc_sddl)
1822 self.assertFalse("D:" in desc_sddl)
1823 self.assertFalse("S:" in desc_sddl)
1826 """ Read a descriptor with SACL_SECURITY_INFORMATION
1827 Only the sacl part should be returned.
1829 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1830 self.ldb_admin.create_ou(ou_dn)
1831 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1832 # make sure we have read the owner
1833 self.assertTrue("S:" in desc_sddl)
1834 # make sure we have read nothing else
1835 self.assertFalse("O:" in desc_sddl)
1836 self.assertFalse("D:" in desc_sddl)
1837 self.assertFalse("G:" in desc_sddl)
1840 """ Read a descriptor with DACL_SECURITY_INFORMATION
1841 Only the dacl part should be returned.
1843 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1844 self.ldb_admin.create_ou(ou_dn)
1845 desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1846 # make sure we have read the owner
1847 self.assertTrue("D:" in desc_sddl)
1848 # make sure we have read nothing else
1849 self.assertFalse("O:" in desc_sddl)
1850 self.assertFalse("S:" in desc_sddl)
1851 self.assertFalse("G:" in desc_sddl)
1854 sd_flags = (SECINFO_OWNER |
1859 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1861 self.assertFalse("nTSecurityDescriptor" in res[0])
1863 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1864 ["name"], controls=None)
1865 self.assertFalse("nTSecurityDescriptor" in res[0])
1867 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1868 ["name"], controls=["sd_flags:1:%d" % (sd_flags)])
1869 self.assertFalse("nTSecurityDescriptor" in res[0])
1871 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1872 [], controls=["sd_flags:1:%d" % (sd_flags)])
1873 self.assertTrue("nTSecurityDescriptor" in res[0])
1874 tmp = res[0]["nTSecurityDescriptor"][0]
1875 sd = ndr_unpack(security.descriptor, tmp)
1876 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1877 self.assertTrue("O:" in sddl)
1878 self.assertTrue("G:" in sddl)
1879 self.assertTrue("D:" in sddl)
1880 self.assertTrue("S:" in sddl)
1882 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1883 ["*"], controls=["sd_flags:1:%d" % (sd_flags)])
1884 self.assertTrue("nTSecurityDescriptor" in res[0])
1885 tmp = res[0]["nTSecurityDescriptor"][0]
1886 sd = ndr_unpack(security.descriptor, tmp)
1887 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1888 self.assertTrue("O:" in sddl)
1889 self.assertTrue("G:" in sddl)
1890 self.assertTrue("D:" in sddl)
1891 self.assertTrue("S:" in sddl)
1893 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1894 ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)])
1895 self.assertTrue("nTSecurityDescriptor" in res[0])
1896 tmp = res[0]["nTSecurityDescriptor"][0]
1897 sd = ndr_unpack(security.descriptor, tmp)
1898 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1899 self.assertTrue("O:" in sddl)
1900 self.assertTrue("G:" in sddl)
1901 self.assertTrue("D:" in sddl)
1902 self.assertTrue("S:" in sddl)
1904 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1905 ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1906 self.assertTrue("nTSecurityDescriptor" in res[0])
1907 tmp = res[0]["nTSecurityDescriptor"][0]
1908 sd = ndr_unpack(security.descriptor, tmp)
1909 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1910 self.assertTrue("O:" in sddl)
1911 self.assertTrue("G:" in sddl)
1912 self.assertTrue("D:" in sddl)
1913 self.assertTrue("S:" in sddl)
1915 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1916 ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)])
1917 self.assertTrue("nTSecurityDescriptor" in res[0])
1918 tmp = res[0]["nTSecurityDescriptor"][0]
1919 sd = ndr_unpack(security.descriptor, tmp)
1920 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1921 self.assertTrue("O:" in sddl)
1922 self.assertTrue("G:" in sddl)
1923 self.assertTrue("D:" in sddl)
1924 self.assertTrue("S:" in sddl)
1926 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1927 ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)])
1928 self.assertTrue("nTSecurityDescriptor" in res[0])
1929 tmp = res[0]["nTSecurityDescriptor"][0]
1930 sd = ndr_unpack(security.descriptor, tmp)
1931 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1932 self.assertTrue("O:" in sddl)
1933 self.assertTrue("G:" in sddl)
1934 self.assertTrue("D:" in sddl)
1935 self.assertTrue("S:" in sddl)
1937 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1938 ["nTSecurityDescriptor"], controls=None)
1939 self.assertTrue("nTSecurityDescriptor" in res[0])
1940 tmp = res[0]["nTSecurityDescriptor"][0]
1941 sd = ndr_unpack(security.descriptor, tmp)
1942 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1943 self.assertTrue("O:" in sddl)
1944 self.assertTrue("G:" in sddl)
1945 self.assertTrue("D:" in sddl)
1946 self.assertTrue("S:" in sddl)
1948 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1949 ["name", "nTSecurityDescriptor"], controls=None)
1950 self.assertTrue("nTSecurityDescriptor" in res[0])
1951 tmp = res[0]["nTSecurityDescriptor"][0]
1952 sd = ndr_unpack(security.descriptor, tmp)
1953 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1954 self.assertTrue("O:" in sddl)
1955 self.assertTrue("G:" in sddl)
1956 self.assertTrue("D:" in sddl)
1957 self.assertTrue("S:" in sddl)
1959 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None,
1960 ["nTSecurityDescriptor", "name"], controls=None)
1961 self.assertTrue("nTSecurityDescriptor" in res[0])
1962 tmp = res[0]["nTSecurityDescriptor"][0]
1963 sd = ndr_unpack(security.descriptor, tmp)
1964 sddl = sd.as_sddl(self.sd_utils.domain_sid)
1965 self.assertTrue("O:" in sddl)
1966 self.assertTrue("G:" in sddl)
1967 self.assertTrue("D:" in sddl)
1968 self.assertTrue("S:" in sddl)
1971 """This search is done by the windows dc join..."""
1973 res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"],
1974 controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"])
1975 self.assertFalse("nTSecurityDescriptor" in res[0])
1977 class RightsAttributesTests(DescriptorTests):
1979 def deleteAll(self):
1980 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1981 delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1982 delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1985 super(RightsAttributesTests, self).setUp()
1989 self.ldb_admin.newuser("testuser_attr", "samba123@")
1990 # User 2, Domain Admins
1991 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1992 self.ldb_admin.add_remove_group_members("Domain Admins",
1994 add_members_operation=True)
1996 def test_sDRightsEffective(self):
1997 object_dn = "OU=test_domain_ou1," + self.base_dn
1998 delete_force(self.ldb_admin, object_dn)
1999 self.ldb_admin.create_ou(object_dn)
2000 print self.get_users_domain_dn("testuser_attr")
2001 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2002 #give testuser1 read access so attributes can be retrieved
2003 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2004 self.sd_utils.dacl_add_ace(object_dn, mod)
2005 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2006 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2007 attrs=["sDRightsEffective"])
2008 #user whould have no rights at all
2009 self.assertEquals(len(res), 1)
2010 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
2011 #give the user Write DACL and see what happens
2012 mod = "(A;CI;WD;;;%s)" % str(user_sid)
2013 self.sd_utils.dacl_add_ace(object_dn, mod)
2014 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2015 attrs=["sDRightsEffective"])
2016 #user whould have DACL_SECURITY_INFORMATION
2017 self.assertEquals(len(res), 1)
2018 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
2019 #give the user Write Owners and see what happens
2020 mod = "(A;CI;WO;;;%s)" % str(user_sid)
2021 self.sd_utils.dacl_add_ace(object_dn, mod)
2022 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2023 attrs=["sDRightsEffective"])
2024 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2025 self.assertEquals(len(res), 1)
2026 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
2027 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
2028 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
2029 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2030 attrs=["sDRightsEffective"])
2031 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
2032 self.assertEquals(len(res), 1)
2033 self.assertEquals(res[0]["sDRightsEffective"][0], \
2034 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
2036 def test_allowedChildClassesEffective(self):
2037 object_dn = "OU=test_domain_ou1," + self.base_dn
2038 delete_force(self.ldb_admin, object_dn)
2039 self.ldb_admin.create_ou(object_dn)
2040 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2041 #give testuser1 read access so attributes can be retrieved
2042 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2043 self.sd_utils.dacl_add_ace(object_dn, mod)
2044 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2045 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2046 attrs=["allowedChildClassesEffective"])
2047 #there should be no allowed child classes
2048 self.assertEquals(len(res), 1)
2049 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
2050 #give the user the right to create children of type user
2051 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2052 self.sd_utils.dacl_add_ace(object_dn, mod)
2053 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2054 attrs=["allowedChildClassesEffective"])
2055 # allowedChildClassesEffective should only have one value, user
2056 self.assertEquals(len(res), 1)
2057 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
2058 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
2060 def test_allowedAttributesEffective(self):
2061 object_dn = "OU=test_domain_ou1," + self.base_dn
2062 delete_force(self.ldb_admin, object_dn)
2063 self.ldb_admin.create_ou(object_dn)
2064 user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn("testuser_attr"))
2065 #give testuser1 read access so attributes can be retrieved
2066 mod = "(A;CI;RP;;;%s)" % str(user_sid)
2067 self.sd_utils.dacl_add_ace(object_dn, mod)
2068 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
2069 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2070 attrs=["allowedAttributesEffective"])
2071 #there should be no allowed attributes
2072 self.assertEquals(len(res), 1)
2073 self.assertFalse("allowedAttributesEffective" in res[0].keys())
2074 #give the user the right to write displayName and managedBy
2075 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
2076 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
2077 # also rights to modify an read only attribute, fromEntry
2078 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
2079 self.sd_utils.dacl_add_ace(object_dn, mod + mod2 + mod3)
2080 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
2081 attrs=["allowedAttributesEffective"])
2082 # value should only contain user and managedBy
2083 self.assertEquals(len(res), 1)
2084 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
2085 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
2086 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
2088 class SdAutoInheritTests(DescriptorTests):
2089 def deleteAll(self):
2090 delete_force(self.ldb_admin, self.sub_dn)
2091 delete_force(self.ldb_admin, self.ou_dn)
2094 super(SdAutoInheritTests, self).setUp()
2095 self.ou_dn = "OU=test_SdAutoInherit_ou," + self.base_dn
2096 self.sub_dn = "OU=test_sub," + self.ou_dn
2100 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
2101 See that only the owner has been changed.
2103 attrs = ["nTSecurityDescriptor", "replPropertyMetaData", "uSNChanged"]
2104 controls=["sd_flags:1:%d" % (SECINFO_DACL)]
2105 ace = "(A;CI;CC;;;NU)"
2106 sub_ace = "(A;CIID;CC;;;NU)"
2107 sd_sddl = "O:BAG:BAD:P(A;CI;0x000f01ff;;;AU)"
2108 sd = security.descriptor.from_sddl(sd_sddl, self.domain_sid)
2110 self.ldb_admin.create_ou(self.ou_dn,sd=sd)
2111 self.ldb_admin.create_ou(self.sub_dn)
2113 ou_res0 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2114 None, attrs, controls=controls)
2115 sub_res0 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2116 None, attrs, controls=controls)
2118 ou_sd0 = ndr_unpack(security.descriptor, ou_res0[0]["nTSecurityDescriptor"][0])
2119 sub_sd0 = ndr_unpack(security.descriptor, sub_res0[0]["nTSecurityDescriptor"][0])
2121 ou_sddl0 = ou_sd0.as_sddl(self.domain_sid)
2122 sub_sddl0 = sub_sd0.as_sddl(self.domain_sid)
2124 self.assertFalse(ace in ou_sddl0)
2125 self.assertFalse(ace in sub_sddl0)
2127 ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace +
2128 ou_sddl0[ou_sddl0.index("("):])
2130 sub_sddl1 = (sub_sddl0[:sub_sddl0.index("(")] + ace +
2131 sub_sddl0[sub_sddl0.index("("):])
2133 self.sd_utils.modify_sd_on_dn(self.ou_dn, ou_sddl1, controls=controls)
2135 sub_res2 = self.sd_utils.ldb.search(self.sub_dn, SCOPE_BASE,
2136 None, attrs, controls=controls)
2137 ou_res2 = self.sd_utils.ldb.search(self.ou_dn, SCOPE_BASE,
2138 None, attrs, controls=controls)
2140 ou_sd2 = ndr_unpack(security.descriptor, ou_res2[0]["nTSecurityDescriptor"][0])
2141 sub_sd2 = ndr_unpack(security.descriptor, sub_res2[0]["nTSecurityDescriptor"][0])
2143 ou_sddl2 = ou_sd2.as_sddl(self.domain_sid)
2144 sub_sddl2 = sub_sd2.as_sddl(self.domain_sid)
2146 self.assertFalse(ou_sddl2 == ou_sddl0)
2147 self.assertFalse(sub_sddl2 == sub_sddl0)
2149 if ace not in ou_sddl2:
2150 print "ou0: %s" % ou_sddl0
2151 print "ou2: %s" % ou_sddl2
2153 if sub_ace not in sub_sddl2:
2154 print "sub0: %s" % sub_sddl0
2155 print "sub2: %s" % sub_sddl2
2157 self.assertTrue(ace in ou_sddl2)
2158 self.assertTrue(sub_ace in sub_sddl2)
2160 ou_usn0 = int(ou_res0[0]["uSNChanged"][0])
2161 ou_usn2 = int(ou_res2[0]["uSNChanged"][0])
2162 self.assertTrue(ou_usn2 > ou_usn0)
2164 sub_usn0 = int(sub_res0[0]["uSNChanged"][0])
2165 sub_usn2 = int(sub_res2[0]["uSNChanged"][0])
2166 self.assertTrue(sub_usn2 == sub_usn0)
2168 if not "://" in host:
2169 if os.path.isfile(host):
2170 host = "tdb://%s" % host
2172 host = "ldap://%s" % host
2174 # use 'paged_search' module when connecting remotely
2175 if host.lower().startswith("ldap://"):
2176 ldb_options = ["modules:paged_searches"]
2178 TestProgram(module=__name__, opts=subunitopts)