2 # -*- coding: utf-8 -*-
11 sys.path.append("bin/python")
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
16 import samba.getopt as options
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
25 from samba import gensec
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
36 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
41 # use command line creds if available
42 credopts = options.CredentialsOptions(parser)
43 parser.add_option_group(credopts)
44 opts, args = parser.parse_args()
52 lp = sambaopts.get_loadparm()
53 creds = credopts.get_credentials(lp)
54 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
60 class DescriptorTests(samba.tests.TestCase):
62 def delete_force(self, ldb, dn):
65 except LdbError, (num, _):
66 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
68 def find_domain_sid(self, ldb):
69 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
70 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
72 def get_users_domain_dn(self, name):
73 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
75 def modify_desc(self, _ldb, object_dn, desc, controls=None):
76 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
78 dn: """ + object_dn + """
80 replace: nTSecurityDescriptor
82 if isinstance(desc, str):
83 mod += "nTSecurityDescriptor: %s" % desc
84 elif isinstance(desc, security.descriptor):
85 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
86 _ldb.modify_ldif(mod, controls)
88 def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
91 ou: """ + ou_dn.split(",")[0][3:] + """
92 objectClass: organizationalUnit
96 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
97 if isinstance(desc, str):
98 ldif += "nTSecurityDescriptor: %s" % desc
99 elif isinstance(desc, security.descriptor):
100 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
101 _ldb.add_ldif(ldif, controls)
103 def create_domain_user(self, _ldb, user_dn, desc=None):
105 dn: """ + user_dn + """
106 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
108 userPassword: samba123@
112 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
113 if isinstance(desc, str):
114 ldif += "nTSecurityDescriptor: %s" % desc
115 elif isinstance(desc, security.descriptor):
116 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
119 def create_domain_group(self, _ldb, group_dn, desc=None):
121 dn: """ + group_dn + """
123 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
128 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
129 if isinstance(desc, str):
130 ldif += "nTSecurityDescriptor: %s" % desc
131 elif isinstance(desc, security.descriptor):
132 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
135 def get_unique_schema_class_name(self):
137 class_name = "test-class%s" % random.randint(1,100000)
138 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
140 self.ldb_admin.search(base=class_dn, attrs=["*"])
141 except LdbError, (num, _):
142 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
145 def create_schema_class(self, _ldb, object_dn, desc=None):
147 dn: """ + object_dn + """
148 objectClass: classSchema
149 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
150 defaultObjectCategory: """ + object_dn + """
151 distinguishedName: """ + object_dn + """
152 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
154 objectClassCategory: 1
155 subClassOf: organizationalPerson
158 systemMustContain: cn
162 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
163 if isinstance(desc, str):
164 ldif += "nTSecurityDescriptor: %s" % desc
165 elif isinstance(desc, security.descriptor):
166 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
169 def create_configuration_container(self, _ldb, object_dn, desc=None):
171 dn: """ + object_dn + """
172 objectClass: container
173 objectCategory: CN=Container,""" + self.schema_dn + """
174 showInAdvancedViewOnly: TRUE
178 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
179 if isinstance(desc, str):
180 ldif += "nTSecurityDescriptor: %s" % desc
181 elif isinstance(desc, security.descriptor):
182 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
185 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
187 dn: """ + object_dn + """
188 objectClass: displaySpecifier
189 showInAdvancedViewOnly: TRUE
192 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
193 if isinstance(desc, str):
194 ldif += "nTSecurityDescriptor: %s" % desc
195 elif isinstance(desc, security.descriptor):
196 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
199 def read_desc(self, object_dn, controls=None):
200 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
201 desc = res[0]["nTSecurityDescriptor"][0]
202 return ndr_unpack(security.descriptor, desc)
204 def create_active_user(self, _ldb, user_dn):
206 dn: """ + user_dn + """
207 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
209 unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
214 def get_ldb_connection(self, target_username, target_password):
215 creds_tmp = Credentials()
216 creds_tmp.set_username(target_username)
217 creds_tmp.set_password(target_password)
218 creds_tmp.set_domain(creds.get_domain())
219 creds_tmp.set_realm(creds.get_realm())
220 creds_tmp.set_workstation(creds.get_workstation())
221 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
222 | gensec.FEATURE_SEAL)
223 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
226 def get_object_sid(self, object_dn):
227 res = self.ldb_admin.search(object_dn)
228 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
230 def dacl_add_ace(self, object_dn, ace):
231 desc = self.read_desc( object_dn )
232 desc_sddl = desc.as_sddl( self.domain_sid )
235 if desc_sddl.find("(") >= 0:
236 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
238 desc_sddl = desc_sddl + ace
239 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
241 def get_desc_sddl(self, object_dn, controls=None):
242 """ Return object nTSecutiryDescriptor in SDDL format
244 desc = self.read_desc(object_dn, controls)
245 return desc.as_sddl(self.domain_sid)
247 def create_enable_user(self, username):
248 user_dn = self.get_users_domain_dn(username)
249 self.create_active_user(self.ldb_admin, user_dn)
250 self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
253 super(DescriptorTests, self).setUp()
255 self.base_dn = ldb.domain_dn()
256 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
257 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
258 self.domain_sid = self.find_domain_sid(self.ldb_admin)
259 print "baseDN: %s" % self.base_dn
261 ################################################################################################
265 # Default descriptor tests #####################################################################
267 class OwnerGroupDescriptorTests(DescriptorTests):
270 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
271 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
272 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
273 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
274 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
275 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
276 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
277 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
279 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
280 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
281 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
282 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
285 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
286 + self.configuration_dn)
287 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
290 super(OwnerGroupDescriptorTests, self).setUp()
293 # User 1 - Enterprise Admins
294 self.create_enable_user("testuser1")
295 # User 2 - Domain Admins
296 self.create_enable_user("testuser2")
297 # User 3 - Schema Admins
298 self.create_enable_user("testuser3")
299 # User 4 - regular user
300 self.create_enable_user("testuser4")
301 # User 5 - Enterprise Admins and Domain Admins
302 self.create_enable_user("testuser5")
303 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
304 self.create_enable_user("testuser6")
305 # User 7 - Domain Admins and Schema Admins
306 self.create_enable_user("testuser7")
307 # User 5 - Enterprise Admins and Schema Admins
308 self.create_enable_user("testuser8")
310 self.ldb_admin.add_remove_group_members("Enterprise Admins",
311 "testuser1,testuser5,testuser6,testuser8",
312 add_members_operation=True)
313 self.ldb_admin.add_remove_group_members("Domain Admins",
314 "testuser2,testuser5,testuser6,testuser7",
315 add_members_operation=True)
316 self.ldb_admin.add_remove_group_members("Schema Admins",
317 "testuser3,testuser6,testuser7,testuser8",
318 add_members_operation=True)
321 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
322 "ds_behavior_win2003" : {
372 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
373 "ds_behavior_win2008" : {
424 # Discover 'msDS-Behavior-Version'
425 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
426 attrs=['msDS-Behavior-Version'])
427 res = int(res[0]['msDS-Behavior-Version'][0])
428 if res < DS_DOMAIN_FUNCTION_2008:
429 self.DS_BEHAVIOR = "ds_behavior_win2003"
431 self.DS_BEHAVIOR = "ds_behavior_win2008"
434 super(DescriptorTests, self).tearDown()
437 def check_user_belongs(self, user_dn, groups=[]):
438 """ Test wether user is member of the expected group(s) """
440 # User is member of at least one additional group
441 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
442 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
445 expected.append(self.get_users_domain_dn(x))
446 expected = [x.upper() for x in sorted(expected)]
447 self.assertEqual(expected, res)
449 # User is not a member of any additional groups but default
450 res = self.ldb_admin.search(user_dn, attrs=["*"])
451 res = [x.upper() for x in res[0].keys()]
452 self.assertFalse( "MEMBEROF" in res)
454 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
456 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
457 if owner_group != "":
458 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
460 self.modify_desc(_ldb, object_dn, "D:" + ace)
461 # Make sure the modify operation has been applied
462 desc_sddl = self.get_desc_sddl(object_dn)
463 self.assertTrue(ace in desc_sddl)
464 # Make sure we have identical result for both "add" and "modify"
465 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
466 print self._testMethodName
467 test_number = self._testMethodName[5:]
468 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
471 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
473 user_name = "testuser1"
474 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
475 # Open Ldb connection with the tested user
476 _ldb = self.get_ldb_connection(user_name, "samba123@")
477 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
478 self.delete_force(self.ldb_admin, object_dn)
479 self.create_domain_group(_ldb, object_dn)
480 desc_sddl = self.get_desc_sddl(object_dn)
481 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
482 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
483 self.check_modify_inheritance(_ldb, object_dn)
486 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
488 user_name = "testuser2"
489 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
490 # Open Ldb connection with the tested user
491 _ldb = self.get_ldb_connection(user_name, "samba123@")
492 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
493 self.delete_force(self.ldb_admin, object_dn)
494 self.create_domain_group(_ldb, object_dn)
495 desc_sddl = self.get_desc_sddl(object_dn)
496 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
497 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
498 self.check_modify_inheritance(_ldb, object_dn)
501 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
503 user_name = "testuser3"
504 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
505 # Open Ldb connection with the tested user
506 _ldb = self.get_ldb_connection(user_name, "samba123@")
507 object_dn = "OU=test_domain_ou1," + self.base_dn
508 self.delete_force(self.ldb_admin, object_dn)
509 self.create_domain_ou(self.ldb_admin, object_dn)
510 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
511 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
512 self.dacl_add_ace(object_dn, mod)
513 # Create additional object into the first one
514 object_dn = "CN=test_domain_user1," + object_dn
515 self.delete_force(self.ldb_admin, object_dn)
516 self.create_domain_user(_ldb, object_dn)
517 desc_sddl = self.get_desc_sddl(object_dn)
518 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
519 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
520 # This fails, research why
521 #self.check_modify_inheritance(_ldb, object_dn)
524 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
526 user_name = "testuser4"
527 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
528 # Open Ldb connection with the tested user
529 _ldb = self.get_ldb_connection(user_name, "samba123@")
530 object_dn = "OU=test_domain_ou1," + self.base_dn
531 self.delete_force(self.ldb_admin, object_dn)
532 self.create_domain_ou(self.ldb_admin, object_dn)
533 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
534 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
535 self.dacl_add_ace(object_dn, mod)
536 # Create additional object into the first one
537 object_dn = "CN=test_domain_user1," + object_dn
538 self.delete_force(self.ldb_admin, object_dn)
539 self.create_domain_user(_ldb, object_dn)
540 desc_sddl = self.get_desc_sddl(object_dn)
541 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
542 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
543 #this fails, research why
544 #self.check_modify_inheritance(_ldb, object_dn)
547 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
549 user_name = "testuser5"
550 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
551 # Open Ldb connection with the tested user
552 _ldb = self.get_ldb_connection(user_name, "samba123@")
553 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
554 self.delete_force(self.ldb_admin, object_dn)
555 self.create_domain_group(_ldb, object_dn)
556 desc_sddl = self.get_desc_sddl(object_dn)
557 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
558 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
559 self.check_modify_inheritance(_ldb, object_dn)
562 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
564 user_name = "testuser6"
565 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
566 # Open Ldb connection with the tested user
567 _ldb = self.get_ldb_connection(user_name, "samba123@")
568 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
569 self.delete_force(self.ldb_admin, object_dn)
570 self.create_domain_group(_ldb, object_dn)
571 desc_sddl = self.get_desc_sddl(object_dn)
572 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
573 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
574 self.check_modify_inheritance(_ldb, object_dn)
577 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
579 user_name = "testuser7"
580 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
581 # Open Ldb connection with the tested user
582 _ldb = self.get_ldb_connection(user_name, "samba123@")
583 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
584 self.delete_force(self.ldb_admin, object_dn)
585 self.create_domain_group(_ldb, object_dn)
586 desc_sddl = self.get_desc_sddl(object_dn)
587 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
588 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
589 self.check_modify_inheritance(_ldb, object_dn)
592 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
594 user_name = "testuser8"
595 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
596 # Open Ldb connection with the tested user
597 _ldb = self.get_ldb_connection(user_name, "samba123@")
598 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
599 self.delete_force(self.ldb_admin, object_dn)
600 self.create_domain_group(_ldb, object_dn)
601 desc_sddl = self.get_desc_sddl(object_dn)
602 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
603 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
604 self.check_modify_inheritance(_ldb, object_dn)
606 # Control descriptor tests #####################################################################
609 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
611 user_name = "testuser1"
612 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
613 # Open Ldb connection with the tested user
614 _ldb = self.get_ldb_connection(user_name, "samba123@")
615 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
616 self.delete_force(self.ldb_admin, object_dn)
617 # Create a custom security descriptor
618 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
619 self.create_domain_group(_ldb, object_dn, desc_sddl)
620 desc_sddl = self.get_desc_sddl(object_dn)
621 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
622 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
625 """ Domain admin group member creates object (custom descriptor) in DOMAIN
627 user_name = "testuser2"
628 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
629 # Open Ldb connection with the tested user
630 _ldb = self.get_ldb_connection(user_name, "samba123@")
631 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
632 self.delete_force(self.ldb_admin, object_dn)
633 # Create a custom security descriptor
634 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
635 self.create_domain_group(_ldb, object_dn, desc_sddl)
636 desc_sddl = self.get_desc_sddl(object_dn)
637 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
638 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
641 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
643 user_name = "testuser3"
644 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
645 # Open Ldb connection with the tested user
646 _ldb = self.get_ldb_connection(user_name, "samba123@")
647 object_dn = "OU=test_domain_ou1," + self.base_dn
648 self.delete_force(self.ldb_admin, object_dn)
649 self.create_domain_ou(self.ldb_admin, object_dn)
650 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
651 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
652 self.dacl_add_ace(object_dn, mod)
653 # Create a custom security descriptor
654 # NB! Problematic owner part won't accept DA only <User Sid> !!!
655 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
656 # Create additional object into the first one
657 object_dn = "CN=test_domain_user1," + object_dn
658 self.delete_force(self.ldb_admin, object_dn)
659 self.create_domain_user(_ldb, object_dn, desc_sddl)
660 desc = self.read_desc(object_dn)
661 desc_sddl = self.get_desc_sddl(object_dn)
662 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
663 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
666 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
668 user_name = "testuser4"
669 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
670 # Open Ldb connection with the tested user
671 _ldb = self.get_ldb_connection(user_name, "samba123@")
672 object_dn = "OU=test_domain_ou1," + self.base_dn
673 self.delete_force(self.ldb_admin, object_dn)
674 self.create_domain_ou(self.ldb_admin, object_dn)
675 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
676 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
677 self.dacl_add_ace(object_dn, mod)
678 # Create a custom security descriptor
679 # NB! Problematic owner part won't accept DA only <User Sid> !!!
680 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
681 # Create additional object into the first one
682 object_dn = "CN=test_domain_user1," + object_dn
683 self.delete_force(self.ldb_admin, object_dn)
684 self.create_domain_user(_ldb, object_dn, desc_sddl)
685 desc = self.read_desc(object_dn)
686 desc_sddl = self.get_desc_sddl(object_dn)
687 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
688 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
691 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
693 user_name = "testuser5"
694 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
695 # Open Ldb connection with the tested user
696 _ldb = self.get_ldb_connection(user_name, "samba123@")
697 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
698 self.delete_force(self.ldb_admin, object_dn)
699 # Create a custom security descriptor
700 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
701 self.create_domain_group(_ldb, object_dn, desc_sddl)
702 desc_sddl = self.get_desc_sddl(object_dn)
703 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
704 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
707 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
709 user_name = "testuser6"
710 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
711 # Open Ldb connection with the tested user
712 _ldb = self.get_ldb_connection(user_name, "samba123@")
713 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
714 self.delete_force(self.ldb_admin, object_dn)
715 # Create a custom security descriptor
716 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
717 self.create_domain_group(_ldb, object_dn, desc_sddl)
718 desc_sddl = self.get_desc_sddl(object_dn)
719 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
720 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
723 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
725 user_name = "testuser7"
726 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
727 # Open Ldb connection with the tested user
728 _ldb = self.get_ldb_connection(user_name, "samba123@")
729 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
730 self.delete_force(self.ldb_admin, object_dn)
731 # Create a custom security descriptor
732 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
733 self.create_domain_group(_ldb, object_dn, desc_sddl)
734 desc_sddl = self.get_desc_sddl(object_dn)
735 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
736 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
739 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
741 user_name = "testuser8"
742 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
743 # Open Ldb connection with the tested user
744 _ldb = self.get_ldb_connection(user_name, "samba123@")
745 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
746 self.delete_force(self.ldb_admin, object_dn)
747 # Create a custom security descriptor
748 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
749 self.create_domain_group(_ldb, object_dn, desc_sddl)
750 desc_sddl = self.get_desc_sddl(object_dn)
751 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
752 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
755 user_name = "Administrator"
756 object_dn = "OU=test_domain_ou1," + self.base_dn
757 self.delete_force(self.ldb_admin, object_dn)
758 self.create_domain_ou(self.ldb_admin, object_dn)
759 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
760 mod = "(D;CI;WP;;;S-1-3-0)"
762 self.dacl_add_ace(object_dn, mod)
763 desc_sddl = self.get_desc_sddl(object_dn)
764 # Create additional object into the first one
765 object_dn = "OU=test_domain_ou2," + object_dn
766 self.delete_force(self.ldb_admin, object_dn)
767 self.create_domain_ou(self.ldb_admin, object_dn)
768 desc_sddl = self.get_desc_sddl(object_dn)
772 # Defalt descriptor tests ##################################################################
775 user_name = "testuser1"
776 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
777 # Open Ldb connection with the tested user
778 _ldb = self.get_ldb_connection(user_name, "samba123@")
779 # Change Schema partition descriptor
780 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
781 mod = "(A;;WDCC;;;AU)"
782 self.dacl_add_ace(self.schema_dn, mod)
783 # Create example Schema class
784 class_name = self.get_unique_schema_class_name()
785 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
786 self.create_schema_class(_ldb, class_dn)
787 desc_sddl = self.get_desc_sddl(class_dn)
788 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
789 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
790 self.check_modify_inheritance(_ldb, class_dn)
793 user_name = "testuser2"
794 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
795 # Open Ldb connection with the tested user
796 _ldb = self.get_ldb_connection(user_name, "samba123@")
797 # Change Schema partition descriptor
798 mod = "(A;CI;WDCC;;;AU)"
799 self.dacl_add_ace(self.schema_dn, mod)
800 # Create example Schema class
801 class_name = self.get_unique_schema_class_name()
802 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
803 self.create_schema_class(_ldb, class_dn)
804 desc_sddl = self.get_desc_sddl(class_dn)
805 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
806 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
807 self.check_modify_inheritance(_ldb, class_dn)
810 user_name = "testuser3"
811 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
812 # Open Ldb connection with the tested user
813 _ldb = self.get_ldb_connection(user_name, "samba123@")
814 # Change Schema partition descriptor
815 mod = "(A;CI;WDCC;;;AU)"
816 self.dacl_add_ace(self.schema_dn, mod)
817 # Create example Schema class
818 class_name = self.get_unique_schema_class_name()
819 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
820 self.create_schema_class(_ldb, class_dn)
821 desc_sddl = self.get_desc_sddl(class_dn)
822 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
823 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
824 #self.check_modify_inheritance(_ldb, class_dn)
827 user_name = "testuser4"
828 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
829 # Open Ldb connection with the tested user
830 _ldb = self.get_ldb_connection(user_name, "samba123@")
831 #Change Schema partition descriptor
832 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
833 mod = "(A;CI;WDCC;;;AU)"
834 self.dacl_add_ace(self.schema_dn, mod)
835 # Create example Schema class
836 class_name = self.get_unique_schema_class_name()
837 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
838 self.create_schema_class(_ldb, class_dn)
839 desc_sddl = self.get_desc_sddl(class_dn)
840 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
841 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
842 #self.check_modify_inheritance(_ldb, class_dn)
845 user_name = "testuser5"
846 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
847 # Open Ldb connection with the tested user
848 _ldb = self.get_ldb_connection(user_name, "samba123@")
849 #Change Schema partition descriptor
850 mod = "(A;CI;WDCC;;;AU)"
851 self.dacl_add_ace(self.schema_dn, mod)
852 # Create example Schema class
853 class_name = self.get_unique_schema_class_name()
854 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
855 self.create_schema_class(_ldb, class_dn)
856 desc_sddl = self.get_desc_sddl(class_dn)
857 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
858 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
859 self.check_modify_inheritance(_ldb, class_dn)
862 user_name = "testuser6"
863 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
864 # Open Ldb connection with the tested user
865 _ldb = self.get_ldb_connection(user_name, "samba123@")
866 # Change Schema partition descriptor
867 mod = "(A;CI;WDCC;;;AU)"
868 self.dacl_add_ace(self.schema_dn, mod)
869 # Create example Schema class
870 class_name = self.get_unique_schema_class_name()
871 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
872 self.create_schema_class(_ldb, class_dn)
873 desc_sddl = self.get_desc_sddl(class_dn)
874 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
875 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
876 self.check_modify_inheritance(_ldb, class_dn)
879 user_name = "testuser7"
880 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
881 # Open Ldb connection with the tested user
882 _ldb = self.get_ldb_connection(user_name, "samba123@")
883 # Change Schema partition descriptor
884 mod = "(A;CI;WDCC;;;AU)"
885 self.dacl_add_ace(self.schema_dn, mod)
886 # Create example Schema class
887 class_name = self.get_unique_schema_class_name()
888 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
889 self.create_schema_class(_ldb, class_dn)
890 desc_sddl = self.get_desc_sddl(class_dn)
891 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
892 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
893 self.check_modify_inheritance(_ldb, class_dn)
896 user_name = "testuser8"
897 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
898 # Open Ldb connection with the tested user
899 _ldb = self.get_ldb_connection(user_name, "samba123@")
900 # Change Schema partition descriptor
901 mod = "(A;CI;WDCC;;;AU)"
902 self.dacl_add_ace(self.schema_dn, mod)
903 # Create example Schema class
904 class_name = self.get_unique_schema_class_name()
905 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
906 self.create_schema_class(_ldb, class_dn)
907 desc_sddl = self.get_desc_sddl(class_dn)
908 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
909 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
910 self.check_modify_inheritance(_ldb, class_dn)
912 # Custom descriptor tests ##################################################################
915 user_name = "testuser1"
916 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
917 # Open Ldb connection with the tested user
918 _ldb = self.get_ldb_connection(user_name, "samba123@")
919 # Change Schema partition descriptor
921 self.dacl_add_ace(self.schema_dn, mod)
922 # Create a custom security descriptor
923 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
924 # Create example Schema class
925 class_name = self.get_unique_schema_class_name()
926 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
927 self.create_schema_class(_ldb, class_dn, desc_sddl)
928 desc_sddl = self.get_desc_sddl(class_dn)
929 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
930 self.assertEqual("O:DAG:DA", res)
933 user_name = "testuser2"
934 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
935 # Open Ldb connection with the tested user
936 _ldb = self.get_ldb_connection(user_name, "samba123@")
937 # Change Schema partition descriptor
939 self.dacl_add_ace(self.schema_dn, mod)
940 # Create a custom security descriptor
941 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
942 # Create example Schema class
943 class_name = self.get_unique_schema_class_name()
944 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
945 self.create_schema_class(_ldb, class_dn, desc_sddl)
946 desc_sddl = self.get_desc_sddl(class_dn)
947 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
948 self.assertEqual("O:DAG:DA", res)
951 user_name = "testuser3"
952 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
953 # Open Ldb connection with the tested user
954 _ldb = self.get_ldb_connection(user_name, "samba123@")
955 # Create a custom security descriptor
956 # NB! Problematic owner part won't accept DA only <User Sid> !!!
957 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
958 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
959 # Create example Schema class
960 class_name = self.get_unique_schema_class_name()
961 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
962 self.create_schema_class(_ldb, class_dn, desc_sddl)
963 desc_sddl = self.get_desc_sddl(class_dn)
964 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
965 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
968 user_name = "testuser4"
969 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
970 # Open Ldb connection with the tested user
971 _ldb = self.get_ldb_connection(user_name, "samba123@")
972 # Create a custom security descriptor
973 # NB! Problematic owner part won't accept DA only <User Sid> !!!
974 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
975 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
976 # Create example Schema class
977 class_name = self.get_unique_schema_class_name()
978 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
979 self.create_schema_class(_ldb, class_dn, desc_sddl)
980 desc_sddl = self.get_desc_sddl(class_dn)
981 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
982 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
985 user_name = "testuser5"
986 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
987 # Open Ldb connection with the tested user
988 _ldb = self.get_ldb_connection(user_name, "samba123@")
989 # Change Schema partition descriptor
991 self.dacl_add_ace(self.schema_dn, mod)
992 # Create a custom security descriptor
993 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
994 # Create example Schema class
995 class_name = self.get_unique_schema_class_name()
996 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
997 self.create_schema_class(_ldb, class_dn, desc_sddl)
998 desc_sddl = self.get_desc_sddl(class_dn)
999 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1000 self.assertEqual("O:DAG:DA", res)
1003 user_name = "testuser6"
1004 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1005 # Open Ldb connection with the tested user
1006 _ldb = self.get_ldb_connection(user_name, "samba123@")
1007 # Change Schema partition descriptor
1008 mod = "(A;;CC;;;AU)"
1009 self.dacl_add_ace(self.schema_dn, mod)
1010 # Create a custom security descriptor
1011 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1012 # Create example Schema class
1013 class_name = self.get_unique_schema_class_name()
1014 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1015 self.create_schema_class(_ldb, class_dn, desc_sddl)
1016 desc_sddl = self.get_desc_sddl(class_dn)
1017 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1018 self.assertEqual("O:DAG:DA", res)
1021 user_name = "testuser7"
1022 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1023 # Open Ldb connection with the tested user
1024 _ldb = self.get_ldb_connection(user_name, "samba123@")
1025 # Change Schema partition descriptor
1026 mod = "(A;;CC;;;AU)"
1027 self.dacl_add_ace(self.schema_dn, mod)
1028 # Create a custom security descriptor
1029 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1030 # Create example Schema class
1031 class_name = self.get_unique_schema_class_name()
1032 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1033 self.create_schema_class(_ldb, class_dn, desc_sddl)
1034 desc_sddl = self.get_desc_sddl(class_dn)
1035 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1036 self.assertEqual("O:DAG:DA", res)
1039 user_name = "testuser8"
1040 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1041 # Open Ldb connection with the tested user
1042 _ldb = self.get_ldb_connection(user_name, "samba123@")
1043 # Change Schema partition descriptor
1044 mod = "(A;;CC;;;AU)"
1045 self.dacl_add_ace(self.schema_dn, mod)
1046 # Create a custom security descriptor
1047 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1048 # Create example Schema class
1049 class_name = self.get_unique_schema_class_name()
1050 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1051 self.create_schema_class(_ldb, class_dn, desc_sddl)
1052 desc_sddl = self.get_desc_sddl(class_dn)
1053 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1054 self.assertEqual("O:DAG:DA", res)
1056 ## Tests for CONFIGURATION
1058 # Defalt descriptor tests ##################################################################
1061 user_name = "testuser1"
1062 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1063 # Open Ldb connection with the tested user
1064 _ldb = self.get_ldb_connection(user_name, "samba123@")
1065 # Create example Configuration container
1066 container_name = "test-container1"
1067 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1068 self.delete_force(self.ldb_admin, object_dn)
1069 self.create_configuration_container(_ldb, object_dn, )
1070 desc_sddl = self.get_desc_sddl(object_dn)
1071 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1072 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1073 self.check_modify_inheritance(_ldb, object_dn)
1076 user_name = "testuser2"
1077 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1078 # Open Ldb connection with the tested user
1079 _ldb = self.get_ldb_connection(user_name, "samba123@")
1080 # Create example Configuration container
1081 container_name = "test-container1"
1082 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1083 self.delete_force(self.ldb_admin, object_dn)
1084 self.create_configuration_container(_ldb, object_dn, )
1085 desc_sddl = self.get_desc_sddl(object_dn)
1086 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1087 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1088 self.check_modify_inheritance(_ldb, object_dn)
1091 user_name = "testuser3"
1092 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1093 # Open Ldb connection with the tested user
1094 _ldb = self.get_ldb_connection(user_name, "samba123@")
1095 # Create example Configuration container
1096 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1097 self.delete_force(self.ldb_admin, object_dn)
1098 self.create_configuration_container(self.ldb_admin, object_dn, )
1099 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1100 mod = "(A;;WDCC;;;AU)"
1101 self.dacl_add_ace(object_dn, mod)
1102 # Create child object with user's credentials
1103 object_dn = "CN=test-specifier1," + object_dn
1104 self.delete_force(self.ldb_admin, object_dn)
1105 self.create_configuration_specifier(_ldb, object_dn)
1106 desc_sddl = self.get_desc_sddl(object_dn)
1107 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1108 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1109 #self.check_modify_inheritance(_ldb, object_dn)
1112 user_name = "testuser4"
1113 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1114 # Open Ldb connection with the tested user
1115 _ldb = self.get_ldb_connection(user_name, "samba123@")
1116 # Create example Configuration container
1117 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1118 self.delete_force(self.ldb_admin, object_dn)
1119 self.create_configuration_container(self.ldb_admin, object_dn, )
1120 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1121 mod = "(A;CI;WDCC;;;AU)"
1122 self.dacl_add_ace(object_dn, mod)
1123 # Create child object with user's credentials
1124 object_dn = "CN=test-specifier1," + object_dn
1125 self.delete_force(self.ldb_admin, object_dn)
1126 self.create_configuration_specifier(_ldb, object_dn)
1127 desc_sddl = self.get_desc_sddl(object_dn)
1128 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1129 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1130 #self.check_modify_inheritance(_ldb, object_dn)
1133 user_name = "testuser5"
1134 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1135 # Open Ldb connection with the tested user
1136 _ldb = self.get_ldb_connection(user_name, "samba123@")
1137 # Create example Configuration container
1138 container_name = "test-container1"
1139 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1140 self.delete_force(self.ldb_admin, object_dn)
1141 self.create_configuration_container(_ldb, object_dn, )
1142 desc_sddl = self.get_desc_sddl(object_dn)
1143 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1144 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1145 self.check_modify_inheritance(_ldb, object_dn)
1148 user_name = "testuser6"
1149 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1150 # Open Ldb connection with the tested user
1151 _ldb = self.get_ldb_connection(user_name, "samba123@")
1152 # Create example Configuration container
1153 container_name = "test-container1"
1154 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1155 self.delete_force(self.ldb_admin, object_dn)
1156 self.create_configuration_container(_ldb, object_dn, )
1157 desc_sddl = self.get_desc_sddl(object_dn)
1158 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1159 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1160 self.check_modify_inheritance(_ldb, object_dn)
1163 user_name = "testuser7"
1164 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1165 # Open Ldb connection with the tested user
1166 _ldb = self.get_ldb_connection(user_name, "samba123@")
1167 # Create example Configuration container
1168 container_name = "test-container1"
1169 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1170 self.delete_force(self.ldb_admin, object_dn)
1171 self.create_configuration_container(_ldb, object_dn, )
1172 desc_sddl = self.get_desc_sddl(object_dn)
1173 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1174 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1175 self.check_modify_inheritance(_ldb, object_dn)
1178 user_name = "testuser8"
1179 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1180 # Open Ldb connection with the tested user
1181 _ldb = self.get_ldb_connection(user_name, "samba123@")
1182 # Create example Configuration container
1183 container_name = "test-container1"
1184 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1185 self.delete_force(self.ldb_admin, object_dn)
1186 self.create_configuration_container(_ldb, object_dn, )
1187 desc_sddl = self.get_desc_sddl(object_dn)
1188 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1189 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1190 self.check_modify_inheritance(_ldb, object_dn)
1192 # Custom descriptor tests ##################################################################
1195 user_name = "testuser1"
1196 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1197 # Open Ldb connection with the tested user
1198 _ldb = self.get_ldb_connection(user_name, "samba123@")
1199 # Create example Configuration container
1200 container_name = "test-container1"
1201 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1202 self.delete_force(self.ldb_admin, object_dn)
1203 # Create a custom security descriptor
1204 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1205 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1206 desc_sddl = self.get_desc_sddl(object_dn)
1207 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1208 self.assertEqual("O:DAG:DA", res)
1211 user_name = "testuser2"
1212 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1213 # Open Ldb connection with the tested user
1214 _ldb = self.get_ldb_connection(user_name, "samba123@")
1215 # Create example Configuration container
1216 container_name = "test-container1"
1217 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1218 self.delete_force(self.ldb_admin, object_dn)
1219 # Create a custom security descriptor
1220 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1221 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1222 desc_sddl = self.get_desc_sddl(object_dn)
1223 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1224 self.assertEqual("O:DAG:DA", res)
1227 user_name = "testuser3"
1228 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1229 # Open Ldb connection with the tested user
1230 _ldb = self.get_ldb_connection(user_name, "samba123@")
1231 # Create example Configuration container
1232 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1233 self.delete_force(self.ldb_admin, object_dn)
1234 self.create_configuration_container(self.ldb_admin, object_dn, )
1235 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1236 mod = "(A;;CC;;;AU)"
1237 self.dacl_add_ace(object_dn, mod)
1238 # Create child object with user's credentials
1239 object_dn = "CN=test-specifier1," + object_dn
1240 self.delete_force(self.ldb_admin, object_dn)
1241 # Create a custom security descriptor
1242 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1243 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1244 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1245 desc_sddl = self.get_desc_sddl(object_dn)
1246 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1247 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1250 user_name = "testuser4"
1251 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1252 # Open Ldb connection with the tested user
1253 _ldb = self.get_ldb_connection(user_name, "samba123@")
1254 # Create example Configuration container
1255 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1256 self.delete_force(self.ldb_admin, object_dn)
1257 self.create_configuration_container(self.ldb_admin, object_dn, )
1258 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1259 mod = "(A;;CC;;;AU)"
1260 self.dacl_add_ace(object_dn, mod)
1261 # Create child object with user's credentials
1262 object_dn = "CN=test-specifier1," + object_dn
1263 self.delete_force(self.ldb_admin, object_dn)
1264 # Create a custom security descriptor
1265 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1266 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1267 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1268 desc_sddl = self.get_desc_sddl(object_dn)
1269 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1270 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1273 user_name = "testuser5"
1274 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1275 # Open Ldb connection with the tested user
1276 _ldb = self.get_ldb_connection(user_name, "samba123@")
1277 # Create example Configuration container
1278 container_name = "test-container1"
1279 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1280 self.delete_force(self.ldb_admin, object_dn)
1281 # Create a custom security descriptor
1282 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1283 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1284 desc_sddl = self.get_desc_sddl(object_dn)
1285 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1286 self.assertEqual("O:DAG:DA", res)
1289 user_name = "testuser6"
1290 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1291 # Open Ldb connection with the tested user
1292 _ldb = self.get_ldb_connection(user_name, "samba123@")
1293 # Create example Configuration container
1294 container_name = "test-container1"
1295 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1296 self.delete_force(self.ldb_admin, object_dn)
1297 # Create a custom security descriptor
1298 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1299 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1300 desc_sddl = self.get_desc_sddl(object_dn)
1301 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1302 self.assertEqual("O:DAG:DA", res)
1305 user_name = "testuser7"
1306 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1307 # Open Ldb connection with the tested user
1308 _ldb = self.get_ldb_connection(user_name, "samba123@")
1309 # Create example Configuration container
1310 container_name = "test-container1"
1311 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1312 self.delete_force(self.ldb_admin, object_dn)
1313 # Create a custom security descriptor
1314 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1315 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1316 desc_sddl = self.get_desc_sddl(object_dn)
1317 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1318 self.assertEqual("O:DAG:DA", res)
1321 user_name = "testuser8"
1322 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1323 # Open Ldb connection with the tested user
1324 _ldb = self.get_ldb_connection(user_name, "samba123@")
1325 # Create example Configuration container
1326 container_name = "test-container1"
1327 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1328 self.delete_force(self.ldb_admin, object_dn)
1329 # Create a custom security descriptor
1330 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1331 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1332 desc_sddl = self.get_desc_sddl(object_dn)
1333 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1334 self.assertEqual("O:DAG:DA", res)
1336 ########################################################################################
1337 # Inharitance tests for DACL
1339 class DaclDescriptorTests(DescriptorTests):
1341 def deleteAll(self):
1342 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1343 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1346 super(DaclDescriptorTests, self).setUp()
1349 def create_clean_ou(self, object_dn):
1350 """ Base repeating setup for unittests to follow """
1351 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1352 expression="distinguishedName=%s" % object_dn)
1353 # Make sure top testing OU has been deleted before starting the test
1354 self.assertEqual(res, [])
1355 self.create_domain_ou(self.ldb_admin, object_dn)
1356 desc_sddl = self.get_desc_sddl(object_dn)
1357 # Make sure there are inheritable ACEs initially
1358 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1359 # Find and remove all inherit ACEs
1360 res = re.findall("\(.*?\)", desc_sddl)
1361 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1363 desc_sddl = desc_sddl.replace(x, "")
1364 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1365 # can propagate from above
1366 # remove SACL, we are not interested
1367 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1368 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1369 # Verify all inheritable ACEs are gone
1370 desc_sddl = self.get_desc_sddl(object_dn)
1371 self.assertFalse("CI" in desc_sddl)
1372 self.assertFalse("OI" in desc_sddl)
1375 """ OU with protected flag and child group. See if the group has inherit ACEs.
1377 ou_dn = "OU=test_inherit_ou," + self.base_dn
1378 group_dn = "CN=test_inherit_group," + ou_dn
1379 # Create inheritable-free OU
1380 self.create_clean_ou(ou_dn)
1381 # Create group child object
1382 self.create_domain_group(self.ldb_admin, group_dn)
1383 # Make sure created group object contains NO inherit ACEs
1384 desc_sddl = self.get_desc_sddl(group_dn)
1385 self.assertFalse("ID" in desc_sddl)
1388 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1389 Verify group has custom and default ACEs only.
1391 ou_dn = "OU=test_inherit_ou," + self.base_dn
1392 group_dn = "CN=test_inherit_group," + ou_dn
1393 # Create inheritable-free OU
1394 self.create_clean_ou(ou_dn)
1395 # Create group child object using custom security descriptor
1396 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1397 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1398 # Make sure created group descriptor has NO additional ACEs
1399 desc_sddl = self.get_desc_sddl(group_dn)
1400 self.assertEqual(desc_sddl, sddl)
1401 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1402 self.modify_desc(self.ldb_admin, group_dn, sddl)
1403 desc_sddl = self.get_desc_sddl(group_dn)
1404 self.assertEqual(desc_sddl, sddl)
1407 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1408 See if the group has any of the added ACEs.
1410 ou_dn = "OU=test_inherit_ou," + self.base_dn
1411 group_dn = "CN=test_inherit_group," + ou_dn
1412 # Create inheritable-free OU
1413 self.create_clean_ou(ou_dn)
1414 # Add some custom non-inheritable ACEs
1415 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1416 moded = "(D;;CC;;;LG)"
1417 self.dacl_add_ace(ou_dn, mod)
1418 # Verify all inheritable ACEs are gone
1419 desc_sddl = self.get_desc_sddl(ou_dn)
1420 # Create group child object
1421 self.create_domain_group(self.ldb_admin, group_dn)
1422 # Make sure created group object contains NO inherit ACEs
1423 # also make sure the added above non-inheritable ACEs are absent too
1424 desc_sddl = self.get_desc_sddl(group_dn)
1425 self.assertFalse("ID" in desc_sddl)
1426 for x in re.findall("\(.*?\)", mod):
1427 self.assertFalse(x in desc_sddl)
1428 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1429 desc_sddl = self.get_desc_sddl(group_dn)
1430 self.assertFalse("ID" in desc_sddl)
1431 for x in re.findall("\(.*?\)", mod):
1432 self.assertFalse(x in desc_sddl)
1435 """ OU with protected flag and add 'CI' ACE, child group.
1436 See if the group has the added inherited ACE.
1438 ou_dn = "OU=test_inherit_ou," + self.base_dn
1439 group_dn = "CN=test_inherit_group," + ou_dn
1440 # Create inheritable-free OU
1441 self.create_clean_ou(ou_dn)
1442 # Add some custom 'CI' ACE
1443 mod = "(D;CI;WP;;;DU)"
1444 moded = "(D;;CC;;;LG)"
1445 self.dacl_add_ace(ou_dn, mod)
1446 desc_sddl = self.get_desc_sddl(ou_dn)
1447 # Create group child object
1448 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1449 # Make sure created group object contains only the above inherited ACE
1450 # that we've added manually
1451 desc_sddl = self.get_desc_sddl(group_dn)
1452 mod = mod.replace(";CI;", ";CIID;")
1453 self.assertTrue(mod in desc_sddl)
1454 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1455 desc_sddl = self.get_desc_sddl(group_dn)
1456 self.assertTrue(moded in desc_sddl)
1457 self.assertTrue(mod in desc_sddl)
1460 """ OU with protected flag and add 'OI' ACE, child group.
1461 See if the group has the added inherited ACE.
1463 ou_dn = "OU=test_inherit_ou," + self.base_dn
1464 group_dn = "CN=test_inherit_group," + ou_dn
1465 # Create inheritable-free OU
1466 self.create_clean_ou(ou_dn)
1467 # Add some custom 'CI' ACE
1468 mod = "(D;OI;WP;;;DU)"
1469 moded = "(D;;CC;;;LG)"
1470 self.dacl_add_ace(ou_dn, mod)
1471 desc_sddl = self.get_desc_sddl(ou_dn)
1472 # Create group child object
1473 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1474 # Make sure created group object contains only the above inherited ACE
1475 # that we've added manually
1476 desc_sddl = self.get_desc_sddl(group_dn)
1477 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1478 self.assertTrue(mod in desc_sddl)
1479 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1480 desc_sddl = self.get_desc_sddl(group_dn)
1481 self.assertTrue(moded in desc_sddl)
1482 self.assertTrue(mod in desc_sddl)
1485 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1486 See if the group has the added inherited ACE.
1488 ou_dn = "OU=test_inherit_ou," + self.base_dn
1489 group_dn = "CN=test_inherit_group," + ou_dn
1490 # Create inheritable-free OU
1491 self.create_clean_ou(ou_dn)
1492 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1493 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1494 moded = "(D;;CC;;;LG)"
1495 self.dacl_add_ace(ou_dn, mod)
1496 desc_sddl = self.get_desc_sddl(ou_dn)
1497 # Create group child object
1498 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1499 # Make sure created group object contains only the above inherited ACE
1500 # that we've added manually
1501 desc_sddl = self.get_desc_sddl(group_dn)
1502 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1503 self.assertTrue(mod in desc_sddl)
1504 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1505 desc_sddl = self.get_desc_sddl(group_dn)
1506 self.assertTrue(moded in desc_sddl)
1507 self.assertTrue(mod in desc_sddl)
1510 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1511 See if the group has the added inherited ACE.
1513 ou_dn = "OU=test_inherit_ou," + self.base_dn
1514 group_dn = "CN=test_inherit_group," + ou_dn
1515 # Create inheritable-free OU
1516 self.create_clean_ou(ou_dn)
1517 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1518 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1519 moded = "(D;;CC;;;LG)"
1520 self.dacl_add_ace(ou_dn, mod)
1521 desc_sddl = self.get_desc_sddl(ou_dn)
1522 # Create group child object
1523 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1524 # Make sure created group object contains only the above inherited ACE
1525 # that we've added manually
1526 desc_sddl = self.get_desc_sddl(group_dn)
1527 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1528 self.assertTrue(mod in desc_sddl)
1529 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1530 desc_sddl = self.get_desc_sddl(group_dn)
1531 self.assertTrue(moded in desc_sddl)
1532 self.assertTrue(mod in desc_sddl)
1535 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1536 See if the group has the added inherited ACE.
1538 ou_dn = "OU=test_inherit_ou," + self.base_dn
1539 group_dn = "CN=test_inherit_group," + ou_dn
1540 # Create inheritable-free OU
1541 self.create_clean_ou(ou_dn)
1542 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1543 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1544 moded = "(D;;CC;;;LG)"
1545 self.dacl_add_ace(ou_dn, mod)
1546 desc_sddl = self.get_desc_sddl(ou_dn)
1547 # Create group child object
1548 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1549 # Make sure created group object contains only the above inherited ACE
1550 # that we've added manually
1551 desc_sddl = self.get_desc_sddl(group_dn)
1552 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1553 self.assertTrue(mod in desc_sddl)
1554 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1555 desc_sddl = self.get_desc_sddl(group_dn)
1556 self.assertTrue(moded in desc_sddl)
1557 self.assertTrue(mod in desc_sddl)
1560 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1561 See if the group has the added inherited ACE.
1563 ou_dn = "OU=test_inherit_ou," + self.base_dn
1564 group_dn = "CN=test_inherit_group," + ou_dn
1565 # Create inheritable-free OU
1566 self.create_clean_ou(ou_dn)
1567 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1568 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1569 moded = "(D;;CC;;;LG)"
1570 self.dacl_add_ace(ou_dn, mod)
1571 desc_sddl = self.get_desc_sddl(ou_dn)
1572 # Create group child object
1573 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1574 # Make sure created group object contains only the above inherited ACE
1575 # that we've added manually
1576 desc_sddl = self.get_desc_sddl(group_dn)
1577 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1578 self.assertTrue(mod in desc_sddl)
1579 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1580 desc_sddl = self.get_desc_sddl(group_dn)
1581 self.assertTrue(moded in desc_sddl)
1582 self.assertTrue(mod in desc_sddl)
1585 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1586 See if the group has the added inherited ACE.
1588 ou_dn = "OU=test_inherit_ou," + self.base_dn
1589 group_dn = "CN=test_inherit_group," + ou_dn
1590 # Create inheritable-free OU
1591 self.create_clean_ou(ou_dn)
1592 # Add some custom 'CI' ACE
1593 mod = "(D;CI;WP;;;CO)"
1594 moded = "(D;;CC;;;LG)"
1595 self.dacl_add_ace(ou_dn, mod)
1596 desc_sddl = self.get_desc_sddl(ou_dn)
1597 # Create group child object
1598 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1599 # Make sure created group object contains only the above inherited ACE(s)
1600 # that we've added manually
1601 desc_sddl = self.get_desc_sddl(group_dn)
1602 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1603 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1604 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1605 desc_sddl = self.get_desc_sddl(group_dn)
1606 self.assertTrue(moded in desc_sddl)
1607 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1608 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1611 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1613 ou_dn = "OU=test_inherit_ou," + self.base_dn
1614 group_dn = "CN=test_inherit_group," + ou_dn
1615 self.create_clean_ou(ou_dn)
1616 # Add some custom ACE
1617 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1618 self.create_domain_group(self.ldb_admin, group_dn, mod)
1619 # Make sure created group object does not contain the ID ace
1620 desc_sddl = self.get_desc_sddl(group_dn)
1621 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1624 """ Provide ACE with CO SID, should be expanded and replaced
1626 ou_dn = "OU=test_inherit_ou," + self.base_dn
1627 group_dn = "CN=test_inherit_group," + ou_dn
1628 # Create inheritable-free OU
1629 self.create_clean_ou(ou_dn)
1630 # Add some custom 'CI' ACE
1631 mod = "D:(D;CI;WP;;;CO)"
1632 self.create_domain_group(self.ldb_admin, group_dn, mod)
1633 desc_sddl = self.get_desc_sddl(group_dn)
1634 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1637 """ Provide ACE with IO flag, should be ignored
1639 ou_dn = "OU=test_inherit_ou," + self.base_dn
1640 group_dn = "CN=test_inherit_group," + ou_dn
1641 # Create inheritable-free OU
1642 self.create_clean_ou(ou_dn)
1643 # Add some custom 'CI' ACE
1644 mod = "D:(D;CIIO;WP;;;CO)"
1645 self.create_domain_group(self.ldb_admin, group_dn, mod)
1646 # Make sure created group object contains only the above inherited ACE(s)
1647 # that we've added manually
1648 desc_sddl = self.get_desc_sddl(group_dn)
1649 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1650 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1651 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1654 """ Provide ACE with IO flag, should be ignored
1656 ou_dn = "OU=test_inherit_ou," + self.base_dn
1657 group_dn = "CN=test_inherit_group," + ou_dn
1658 # Create inheritable-free OU
1659 self.create_clean_ou(ou_dn)
1660 mod = "D:(D;IO;WP;;;DA)"
1661 self.create_domain_group(self.ldb_admin, group_dn, mod)
1662 # Make sure created group object contains only the above inherited ACE(s)
1663 # that we've added manually
1664 desc_sddl = self.get_desc_sddl(group_dn)
1665 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1667 ########################################################################################
1670 class SdFlagsDescriptorTests(DescriptorTests):
1671 def deleteAll(self):
1672 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1675 super(SdFlagsDescriptorTests, self).setUp()
1676 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1680 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1681 See that only the owner has been changed.
1683 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1684 self.create_domain_ou(self.ldb_admin, ou_dn)
1685 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1686 desc_sddl = self.get_desc_sddl(ou_dn)
1687 # make sure we have modified the owner
1688 self.assertTrue("O:AU" in desc_sddl)
1689 # make sure nothing else has been modified
1690 self.assertFalse("G:AU" in desc_sddl)
1691 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1692 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1695 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1696 See that only the owner has been changed.
1698 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1699 self.create_domain_ou(self.ldb_admin, ou_dn)
1700 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1701 desc_sddl = self.get_desc_sddl(ou_dn)
1702 # make sure we have modified the group
1703 self.assertTrue("G:AU" in desc_sddl)
1704 # make sure nothing else has been modified
1705 self.assertFalse("O:AU" in desc_sddl)
1706 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1707 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1710 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1711 See that only the owner has been changed.
1713 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1714 self.create_domain_ou(self.ldb_admin, ou_dn)
1715 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1716 desc_sddl = self.get_desc_sddl(ou_dn)
1717 # make sure we have modified the DACL
1718 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1719 # make sure nothing else has been modified
1720 self.assertFalse("O:AU" in desc_sddl)
1721 self.assertFalse("G:AU" in desc_sddl)
1722 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1725 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1726 See that only the owner has been changed.
1728 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1729 self.create_domain_ou(self.ldb_admin, ou_dn)
1730 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1731 desc_sddl = self.get_desc_sddl(ou_dn)
1732 # make sure we have modified the DACL
1733 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1734 # make sure nothing else has been modified
1735 self.assertFalse("O:AU" in desc_sddl)
1736 self.assertFalse("G:AU" in desc_sddl)
1737 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1740 """ Modify a descriptor with 0x0 set.
1741 Contrary to logic this is interpreted as no control,
1742 which is the same as 0xF
1744 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1745 self.create_domain_ou(self.ldb_admin, ou_dn)
1746 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1747 desc_sddl = self.get_desc_sddl(ou_dn)
1748 # make sure we have modified the DACL
1749 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1750 # make sure nothing else has been modified
1751 self.assertTrue("O:AU" in desc_sddl)
1752 self.assertTrue("G:AU" in desc_sddl)
1753 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1756 """ Modify a descriptor with 0xF set.
1758 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1759 self.create_domain_ou(self.ldb_admin, ou_dn)
1760 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1761 desc_sddl = self.get_desc_sddl(ou_dn)
1762 # make sure we have modified the DACL
1763 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1764 # make sure nothing else has been modified
1765 self.assertTrue("O:AU" in desc_sddl)
1766 self.assertTrue("G:AU" in desc_sddl)
1767 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1770 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1771 Only the owner part should be returned.
1773 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1774 self.create_domain_ou(self.ldb_admin, ou_dn)
1775 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1776 # make sure we have read the owner
1777 self.assertTrue("O:" in desc_sddl)
1778 # make sure we have read nothing else
1779 self.assertFalse("G:" in desc_sddl)
1780 self.assertFalse("D:" in desc_sddl)
1781 self.assertFalse("S:" in desc_sddl)
1784 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1785 Only the group part should be returned.
1787 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1788 self.create_domain_ou(self.ldb_admin, ou_dn)
1789 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1790 # make sure we have read the owner
1791 self.assertTrue("G:" in desc_sddl)
1792 # make sure we have read nothing else
1793 self.assertFalse("O:" in desc_sddl)
1794 self.assertFalse("D:" in desc_sddl)
1795 self.assertFalse("S:" in desc_sddl)
1798 """ Read a descriptor with SACL_SECURITY_INFORMATION
1799 Only the sacl part should be returned.
1801 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1802 self.create_domain_ou(self.ldb_admin, ou_dn)
1803 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1804 # make sure we have read the owner
1805 self.assertTrue("S:" in desc_sddl)
1806 # make sure we have read nothing else
1807 self.assertFalse("O:" in desc_sddl)
1808 self.assertFalse("D:" in desc_sddl)
1809 self.assertFalse("G:" in desc_sddl)
1812 """ Read a descriptor with DACL_SECURITY_INFORMATION
1813 Only the dacl part should be returned.
1815 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1816 self.create_domain_ou(self.ldb_admin, ou_dn)
1817 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1818 # make sure we have read the owner
1819 self.assertTrue("D:" in desc_sddl)
1820 # make sure we have read nothing else
1821 self.assertFalse("O:" in desc_sddl)
1822 self.assertFalse("S:" in desc_sddl)
1823 self.assertFalse("G:" in desc_sddl)
1826 class RightsAttributesTests(DescriptorTests):
1828 def deleteAll(self):
1829 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1830 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1831 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1834 super(RightsAttributesTests, self).setUp()
1838 self.create_enable_user("testuser_attr")
1839 # User 2, Domain Admins
1840 self.create_enable_user("testuser_attr2")
1841 self.ldb_admin.add_remove_group_members("Domain Admins",
1843 add_members_operation=True)
1845 def test_sDRightsEffective(self):
1846 object_dn = "OU=test_domain_ou1," + self.base_dn
1847 self.delete_force(self.ldb_admin, object_dn)
1848 self.create_domain_ou(self.ldb_admin, object_dn)
1849 print self.get_users_domain_dn("testuser_attr")
1850 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1851 #give testuser1 read access so attributes can be retrieved
1852 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1853 self.dacl_add_ace(object_dn, mod)
1854 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1855 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1856 attrs=["sDRightsEffective"])
1857 #user whould have no rights at all
1858 self.assertEquals(len(res), 1)
1859 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1860 #give the user Write DACL and see what happens
1861 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1862 self.dacl_add_ace(object_dn, mod)
1863 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1864 attrs=["sDRightsEffective"])
1865 #user whould have DACL_SECURITY_INFORMATION
1866 self.assertEquals(len(res), 1)
1867 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1868 #give the user Write Owners and see what happens
1869 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1870 self.dacl_add_ace(object_dn, mod)
1871 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1872 attrs=["sDRightsEffective"])
1873 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1874 self.assertEquals(len(res), 1)
1875 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1876 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1877 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1878 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1879 attrs=["sDRightsEffective"])
1880 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1881 self.assertEquals(len(res), 1)
1882 self.assertEquals(res[0]["sDRightsEffective"][0], \
1883 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1885 def test_allowedChildClassesEffective(self):
1886 object_dn = "OU=test_domain_ou1," + self.base_dn
1887 self.delete_force(self.ldb_admin, object_dn)
1888 self.create_domain_ou(self.ldb_admin, object_dn)
1889 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1890 #give testuser1 read access so attributes can be retrieved
1891 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1892 self.dacl_add_ace(object_dn, mod)
1893 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1894 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1895 attrs=["allowedChildClassesEffective"])
1896 #there should be no allowed child classes
1897 self.assertEquals(len(res), 1)
1898 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1899 #give the user the right to create children of type user
1900 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1901 self.dacl_add_ace(object_dn, mod)
1902 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1903 attrs=["allowedChildClassesEffective"])
1904 # allowedChildClassesEffective should only have one value, user
1905 self.assertEquals(len(res), 1)
1906 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1907 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1909 def test_allowedAttributesEffective(self):
1910 object_dn = "OU=test_domain_ou1," + self.base_dn
1911 self.delete_force(self.ldb_admin, object_dn)
1912 self.create_domain_ou(self.ldb_admin, object_dn)
1913 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1914 #give testuser1 read access so attributes can be retrieved
1915 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1916 self.dacl_add_ace(object_dn, mod)
1917 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1918 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1919 attrs=["allowedAttributesEffective"])
1920 #there should be no allowed attributes
1921 self.assertEquals(len(res), 1)
1922 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1923 #give the user the right to write displayName and managedBy
1924 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1925 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1926 # also rights to modify an read only attribute, fromEntry
1927 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1928 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1929 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1930 attrs=["allowedAttributesEffective"])
1931 # value should only contain user and managedBy
1932 self.assertEquals(len(res), 1)
1933 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1934 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1935 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1937 if not "://" in host:
1938 if os.path.isfile(host):
1939 host = "tdb://%s" % host
1941 host = "ldap://%s" % host
1943 # use 'paged_search' module when connecting remotely
1944 if host.lower().startswith("ldap://"):
1945 ldb_options = ["modules:paged_searches"]
1949 session_info=system_session(),
1951 options=ldb_options)
1953 runner = SubunitTestRunner()
1955 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1957 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1959 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1961 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():