tests dsdb encrypted secrets module
[metze/samba/wip.git] / python / samba / tests / encrypted_secrets.py
1 # Unix SMB/CIFS implementation.
2 #
3 #   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
17 #
18
19 """Smoke test for encrypted secrets
20
21 A quick test to confirm that the secret attributes are being stored
22 encrypted on disk.
23 """
24
25
26 import os
27 import ldb
28 import samba
29 from samba.tests import TestCase
30 from samba.credentials import Credentials
31 from samba.samdb import SamDB
32 from samba.auth import system_session
33 from samba.ndr import ndr_unpack
34 from samba.dcerpc import drsblobs
35
36
37 class EncryptedSecretsTests(TestCase):
38
39     def setUp(self):
40         super(EncryptedSecretsTests, self).setUp()
41         self.lp = samba.tests.env_loadparm()
42         self.creds = Credentials()
43         self.session = system_session()
44         self.creds.guess(self.lp)
45         self.session = system_session()
46         self.ldb = SamDB(session_info=self.session,
47                          credentials=self.creds,
48                          lp=self.lp)
49
50     def test_encrypted_secrets(self):
51         """Test that secret attributes are stored encrypted on disk"""
52         basedn = self.ldb.domain_dn()
53         backend_filename = "%s.ldb" % basedn.upper()
54         backend_subpath = os.path.join("sam.ldb.d",
55                                        backend_filename)
56         backend_path = self.lp.private_path(backend_subpath)
57         backenddb = ldb.Ldb(backend_path)
58
59         dn = "CN=Administrator,CN=Users,%s" % basedn
60
61         res = backenddb.search(scope=ldb.SCOPE_BASE,
62                                base=dn,
63                                attrs=["unicodePwd"])
64         self.assertIs(True, len(res) > 0)
65         obj = res[0]
66         blob = obj["unicodePwd"][0]
67         self.assertTrue(len(blob) > 30)
68         # Now verify that the header contains the correct magic value.
69         encrypted = ndr_unpack(drsblobs.EncryptedSecret, blob)
70         magic = 0xca5caded
71         self.assertEquals(magic, encrypted.header.magic)
72
73     def test_required_features(self):
74         """Test that databases are provisioned with encryptedSecrets as a
75            required feature
76         """
77         res = self.ldb.search(scope=ldb.SCOPE_BASE,
78                               base="@SAMBA_DSDB",
79                               attrs=["requiredFeatures"])
80         self.assertTrue(len(res) > 0)
81         self.assertTrue("requiredFeatures" in res[0])
82         required_features = res[0]["requiredFeatures"]
83         self.assertTrue("encryptedSecrets" in required_features)