s4-secdesc: fixed the sec_descriptor.py test
[ira/wip.git] / source4 / lib / ldb / tests / python / sec_descriptor.py
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3
4 import getopt
5 import optparse
6 import sys
7 import os
8 import base64
9 import re
10 import random
11 import time
12
13 sys.path.append("bin/python")
14 sys.path.append("../lib/subunit/python")
15
16 import samba.getopt as options
17
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
20 from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM
21 from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
22
23 # For running the test unit
24 from samba.ndr import ndr_pack, ndr_unpack
25 from samba.dcerpc import security
26
27 from samba.auth import system_session
28 from samba import Ldb, DS_DOMAIN_FUNCTION_2008, SECINFO_OWNER, \
29     SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL
30 from subunit import SubunitTestRunner
31 import unittest
32
33 parser = optparse.OptionParser("sec_descriptor [options] <host>")
34 sambaopts = options.SambaOptions(parser)
35 parser.add_option_group(sambaopts)
36 parser.add_option_group(options.VersionOptions(parser))
37
38 # use command line creds if available
39 credopts = options.CredentialsOptions(parser)
40 parser.add_option_group(credopts)
41 opts, args = parser.parse_args()
42
43 if len(args) < 1:
44     parser.print_usage()
45     sys.exit(1)
46
47 host = args[0]
48
49 lp = sambaopts.get_loadparm()
50 creds = credopts.get_credentials(lp)
51
52 #
53 # Tests start here
54 #
55
56 class DescriptorTests(unittest.TestCase):
57
58     def delete_force(self, ldb, dn):
59         try:
60             ldb.delete(dn)
61         except LdbError, (num, _):
62             self.assertEquals(num, ERR_NO_SUCH_OBJECT)
63
64     def find_basedn(self, ldb):
65         res = ldb.search(base="", expression="", scope=SCOPE_BASE,
66                          attrs=["defaultNamingContext"])
67         self.assertEquals(len(res), 1)
68         return res[0]["defaultNamingContext"][0]
69
70     def find_configurationdn(self, ldb):
71         res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"])
72         self.assertEquals(len(res), 1)
73         return res[0]["configurationNamingContext"][0]
74
75     def find_schemadn(self, ldb):
76         res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"])
77         self.assertEquals(len(res), 1)
78         return res[0]["schemaNamingContext"][0]
79
80     def find_domain_sid(self, ldb):
81         res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
82         return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
83
84     def get_users_domain_dn(self, name):
85         return "CN=%s,CN=Users,%s" % (name, self.base_dn)
86
87     def modify_desc(self, _ldb, object_dn, desc, controls=None):
88         assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
89         mod = """
90 dn: """ + object_dn + """
91 changetype: modify
92 replace: nTSecurityDescriptor
93 """
94         if isinstance(desc, str):
95             mod += "nTSecurityDescriptor: %s" % desc
96         elif isinstance(desc, security.descriptor):
97             mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
98         _ldb.modify_ldif(mod, controls)
99
100     def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
101         ldif = """
102 dn: """ + ou_dn + """
103 ou: """ + ou_dn.split(",")[0][3:] + """
104 objectClass: organizationalUnit
105 url: www.example.com
106 """
107         if desc:
108             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
109             if isinstance(desc, str):
110                 ldif += "nTSecurityDescriptor: %s" % desc
111             elif isinstance(desc, security.descriptor):
112                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
113         _ldb.add_ldif(ldif, controls)
114
115     def create_domain_user(self, _ldb, user_dn, desc=None):
116         ldif = """
117 dn: """ + user_dn + """
118 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
119 objectClass: user
120 userPassword: samba123@
121 url: www.example.com
122 """
123         if desc:
124             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
125             if isinstance(desc, str):
126                 ldif += "nTSecurityDescriptor: %s" % desc
127             elif isinstance(desc, security.descriptor):
128                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
129         _ldb.add_ldif(ldif)
130
131     def create_domain_group(self, _ldb, group_dn, desc=None):
132         ldif = """
133 dn: """ + group_dn + """
134 objectClass: group
135 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
136 groupType: 4
137 url: www.example.com
138 """
139         if desc:
140             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
141             if isinstance(desc, str):
142                 ldif += "nTSecurityDescriptor: %s" % desc
143             elif isinstance(desc, security.descriptor):
144                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
145         _ldb.add_ldif(ldif)
146
147     def get_unique_schema_class_name(self):
148         while True:
149             class_name = "test-class%s" % random.randint(1,100000)
150             class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
151             try:
152                 self.ldb_admin.search(base=class_dn, attrs=["*"])
153             except LdbError, (num, _):
154                 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
155                 return class_name
156
157     def create_schema_class(self, _ldb, object_dn, desc=None):
158         ldif = """
159 dn: """ + object_dn + """
160 objectClass: classSchema
161 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
162 defaultObjectCategory: """ + object_dn + """
163 distinguishedName: """ + object_dn + """
164 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
165 instanceType: 4
166 objectClassCategory: 1
167 subClassOf: organizationalPerson
168 systemFlags: 16
169 rDNAttID: cn
170 systemMustContain: cn
171 systemOnly: FALSE
172 """
173         if desc:
174             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
175             if isinstance(desc, str):
176                 ldif += "nTSecurityDescriptor: %s" % desc
177             elif isinstance(desc, security.descriptor):
178                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
179         _ldb.add_ldif(ldif)
180
181     def create_configuration_container(self, _ldb, object_dn, desc=None):
182         ldif = """
183 dn: """ + object_dn + """
184 objectClass: container
185 objectCategory: CN=Container,""" + self.schema_dn + """
186 showInAdvancedViewOnly: TRUE
187 instanceType: 4
188 """
189         if desc:
190             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
191             if isinstance(desc, str):
192                 ldif += "nTSecurityDescriptor: %s" % desc
193             elif isinstance(desc, security.descriptor):
194                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
195         _ldb.add_ldif(ldif)
196
197     def create_configuration_specifier(self, _ldb, object_dn, desc=None):
198         ldif = """
199 dn: """ + object_dn + """
200 objectClass: displaySpecifier
201 showInAdvancedViewOnly: TRUE
202 """
203         if desc:
204             assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
205             if isinstance(desc, str):
206                 ldif += "nTSecurityDescriptor: %s" % desc
207             elif isinstance(desc, security.descriptor):
208                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
209         _ldb.add_ldif(ldif)
210
211     def read_desc(self, object_dn, controls=None):
212         res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
213         desc = res[0]["nTSecurityDescriptor"][0]
214         return ndr_unpack(security.descriptor, desc)
215
216     def enable_account(self,  user_dn):
217         """Enable an account.
218         :param user_dn: Dn of the account to enable.
219         """
220         res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"])
221         assert len(res) == 1
222         userAccountControl = res[0]["userAccountControl"][0]
223         userAccountControl = int(userAccountControl)
224         if (userAccountControl & 0x2):
225             userAccountControl = userAccountControl & ~0x2 # remove disabled bit
226         if (userAccountControl & 0x20):
227             userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit
228         mod = """
229 dn: """ + user_dn + """
230 changetype: modify
231 replace: userAccountControl
232 userAccountControl: %s""" % userAccountControl
233         if self.WIN2003:
234             mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod)
235         self.ldb_admin.modify_ldif(mod)
236
237     def get_ldb_connection(self, target_username, target_password):
238         username_save = creds.get_username(); password_save = creds.get_password()
239         creds.set_username(target_username)
240         creds.set_password(target_password)
241         ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp)
242         creds.set_username(username_save); creds.set_password(password_save)
243         return ldb_target
244
245     def get_object_sid(self, object_dn):
246         res = self.ldb_admin.search(object_dn)
247         return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
248
249     def dacl_add_ace(self, object_dn, ace):
250         desc = self.read_desc( object_dn )
251         desc_sddl = desc.as_sddl( self.domain_sid )
252         if ace in desc_sddl:
253             return
254         if desc_sddl.find("(") >= 0:
255             desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
256         else:
257             desc_sddl = desc_sddl + ace
258         self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
259
260     def get_desc_sddl(self, object_dn, controls=None):
261         """ Return object nTSecutiryDescriptor in SDDL format
262         """
263         desc = self.read_desc(object_dn, controls)
264         return desc.as_sddl(self.domain_sid)
265
266     def setUp(self):
267         self.ldb_admin = ldb
268         self.base_dn = self.find_basedn(self.ldb_admin)
269         self.configuration_dn = self.find_configurationdn(self.ldb_admin)
270         self.schema_dn = self.find_schemadn(self.ldb_admin)
271         self.domain_sid = self.find_domain_sid(self.ldb_admin)
272         print "baseDN: %s" % self.base_dn
273         self.SAMBA = False; self.WIN2003 = False
274         res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"])
275         if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]:
276             self.SAMBA = True
277         else:
278             self.WIN2003 = True
279
280     ################################################################################################
281
282     ## Tests for DOMAIN
283
284     # Default descriptor tests #####################################################################
285
286 class OwnerGroupDescriptorTests(DescriptorTests):
287
288     def deleteAll(self):
289         if self.SAMBA:
290             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
291             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
292             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
293             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
294             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
295             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
296             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
297             self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
298         # DOMAIN
299         self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
300         self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
301         self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
302         self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
303         # SCHEMA
304         # CONFIGURATION
305         self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
306                 + self.configuration_dn)
307         self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
308
309     def setUp(self):
310         DescriptorTests.setUp(self)
311         self.deleteAll()
312         if self.SAMBA:
313             ### Create users
314             # User 1
315             user_dn = self.get_users_domain_dn("testuser1")
316             self.create_domain_user(self.ldb_admin, user_dn)
317             self.enable_account(user_dn)
318             ldif = """
319 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
320 changetype: modify
321 add: member
322 member: """ + user_dn
323             self.ldb_admin.modify_ldif(ldif)
324             # User 2
325             user_dn = self.get_users_domain_dn("testuser2")
326             self.create_domain_user(self.ldb_admin, user_dn)
327             self.enable_account(user_dn)
328             ldif = """
329 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
330 changetype: modify
331 add: member
332 member: """ + user_dn
333             self.ldb_admin.modify_ldif(ldif)
334             # User 3
335             user_dn = self.get_users_domain_dn("testuser3")
336             self.create_domain_user(self.ldb_admin, user_dn)
337             self.enable_account(user_dn)
338             ldif = """
339 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
340 changetype: modify
341 add: member
342 member: """ + user_dn
343             self.ldb_admin.modify_ldif(ldif)
344             # User 4
345             user_dn = self.get_users_domain_dn("testuser4")
346             self.create_domain_user(self.ldb_admin, user_dn)
347             self.enable_account(user_dn)
348             # User 5
349             user_dn = self.get_users_domain_dn("testuser5")
350             self.create_domain_user(self.ldb_admin, user_dn)
351             self.enable_account(user_dn)
352             ldif = """
353 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
354 changetype: modify
355 add: member
356 member: """ + user_dn + """
357
358 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
359 changetype: modify
360 add: member
361 member: """ + user_dn
362             self.ldb_admin.modify_ldif(ldif)
363             # User 6
364             user_dn = self.get_users_domain_dn("testuser6")
365             self.create_domain_user(self.ldb_admin, user_dn)
366             self.enable_account(user_dn)
367             ldif = """
368 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
369 changetype: modify
370 add: member
371 member: """ + user_dn + """
372
373 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
374 changetype: modify
375 add: member
376 member: """ + user_dn + """
377
378 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
379 changetype: modify
380 add: member
381 member: """ + user_dn
382             self.ldb_admin.modify_ldif(ldif)
383             # User 7
384             user_dn = self.get_users_domain_dn("testuser7")
385             self.create_domain_user(self.ldb_admin, user_dn)
386             self.enable_account(user_dn)
387             ldif = """
388 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
389 changetype: modify
390 add: member
391 member: """ + user_dn + """
392
393 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
394 changetype: modify
395 add: member
396 member: """ + user_dn
397             self.ldb_admin.modify_ldif(ldif)
398             # User 8
399             user_dn = self.get_users_domain_dn("testuser8")
400             self.create_domain_user(self.ldb_admin, user_dn)
401             self.enable_account(user_dn)
402             ldif = """
403 dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """
404 changetype: modify
405 add: member
406 member: """ + user_dn + """
407
408 dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """
409 changetype: modify
410 add: member
411 member: """ + user_dn
412             self.ldb_admin.modify_ldif(ldif)
413         self.results = {
414             # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
415             "ds_behavior_win2003" : {
416                 "100" : "O:EAG:DU",
417                 "101" : "O:DAG:DU",
418                 "102" : "O:%sG:DU",
419                 "103" : "O:%sG:DU",
420                 "104" : "O:DAG:DU",
421                 "105" : "O:DAG:DU",
422                 "106" : "O:DAG:DU",
423                 "107" : "O:EAG:DU",
424                 "108" : "O:DAG:DA",
425                 "109" : "O:DAG:DA",
426                 "110" : "O:%sG:DA",
427                 "111" : "O:%sG:DA",
428                 "112" : "O:DAG:DA",
429                 "113" : "O:DAG:DA",
430                 "114" : "O:DAG:DA",
431                 "115" : "O:DAG:DA",
432                 "130" : "O:EAG:DU",
433                 "131" : "O:DAG:DU",
434                 "132" : "O:SAG:DU",
435                 "133" : "O:%sG:DU",
436                 "134" : "O:EAG:DU",
437                 "135" : "O:SAG:DU",
438                 "136" : "O:SAG:DU",
439                 "137" : "O:SAG:DU",
440                 "138" : "O:DAG:DA",
441                 "139" : "O:DAG:DA",
442                 "140" : "O:%sG:DA",
443                 "141" : "O:%sG:DA",
444                 "142" : "O:DAG:DA",
445                 "143" : "O:DAG:DA",
446                 "144" : "O:DAG:DA",
447                 "145" : "O:DAG:DA",
448                 "160" : "O:EAG:DU",
449                 "161" : "O:DAG:DU",
450                 "162" : "O:%sG:DU",
451                 "163" : "O:%sG:DU",
452                 "164" : "O:EAG:DU",
453                 "165" : "O:EAG:DU",
454                 "166" : "O:DAG:DU",
455                 "167" : "O:EAG:DU",
456                 "168" : "O:DAG:DA",
457                 "169" : "O:DAG:DA",
458                 "170" : "O:%sG:DA",
459                 "171" : "O:%sG:DA",
460                 "172" : "O:DAG:DA",
461                 "173" : "O:DAG:DA",
462                 "174" : "O:DAG:DA",
463                 "175" : "O:DAG:DA",
464             },
465             # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
466             "ds_behavior_win2008" : {
467                 "100" : "O:EAG:EA",
468                 "101" : "O:DAG:DA",
469                 "102" : "O:%sG:DU",
470                 "103" : "O:%sG:DU",
471                 "104" : "O:DAG:DA",
472                 "105" : "O:DAG:DA",
473                 "106" : "O:DAG:DA",
474                 "107" : "O:EAG:EA",
475                 "108" : "O:DAG:DA",
476                 "109" : "O:DAG:DA",
477                 "110" : "O:%sG:DA",
478                 "111" : "O:%sG:DA",
479                 "112" : "O:DAG:DA",
480                 "113" : "O:DAG:DA",
481                 "114" : "O:DAG:DA",
482                 "115" : "O:DAG:DA",
483                 "130" : "O:EAG:EA",
484                 "131" : "O:DAG:DA",
485                 "132" : "O:SAG:SA",
486                 "133" : "O:%sG:DU",
487                 "134" : "O:EAG:EA",
488                 "135" : "O:SAG:SA",
489                 "136" : "O:SAG:SA",
490                 "137" : "O:SAG:SA",
491                 "138" : "",
492                 "139" : "",
493                 "140" : "O:%sG:DA",
494                 "141" : "O:%sG:DA",
495                 "142" : "",
496                 "143" : "",
497                 "144" : "",
498                 "145" : "",
499                 "160" : "O:EAG:EA",
500                 "161" : "O:DAG:DA",
501                 "162" : "O:%sG:DU",
502                 "163" : "O:%sG:DU",
503                 "164" : "O:EAG:EA",
504                 "165" : "O:EAG:EA",
505                 "166" : "O:DAG:DA",
506                 "167" : "O:EAG:EA",
507                 "168" : "O:DAG:DA",
508                 "169" : "O:DAG:DA",
509                 "170" : "O:%sG:DA",
510                 "171" : "O:%sG:DA",
511                 "172" : "O:DAG:DA",
512                 "173" : "O:DAG:DA",
513                 "174" : "O:DAG:DA",
514                 "175" : "O:DAG:DA",
515             },
516         }
517         # Discover 'msDS-Behavior-Version'
518         res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
519                 attrs=['msDS-Behavior-Version'])
520         res = int(res[0]['msDS-Behavior-Version'][0])
521         if res < DS_DOMAIN_FUNCTION_2008:
522             self.DS_BEHAVIOR = "ds_behavior_win2003"
523         else:
524             self.DS_BEHAVIOR = "ds_behavior_win2008"
525
526     def tearDown(self):
527         self.deleteAll()
528
529     def check_user_belongs(self, user_dn, groups=[]):
530         """ Test wether user is member of the expected group(s) """
531         if groups != []:
532             # User is member of at least one additional group
533             res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
534             res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
535             expected = []
536             for x in groups:
537                 expected.append(self.get_users_domain_dn(x))
538             expected = [x.upper() for x in sorted(expected)]
539             self.assertEqual(expected, res)
540         else:
541             # User is not a member of any additional groups but default
542             res = self.ldb_admin.search(user_dn, attrs=["*"])
543             res = [x.upper() for x in res[0].keys()]
544             self.assertFalse( "MEMBEROF" in res)
545
546     def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
547         # Modify
548         ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
549         if owner_group != "":
550             self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
551         else:
552             self.modify_desc(_ldb, object_dn, "D:" + ace)
553         # Make sure the modify operation has been applied
554         desc_sddl = self.get_desc_sddl(object_dn)
555         self.assertTrue(ace in desc_sddl)
556         # Make sure we have identical result for both "add" and "modify"
557         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
558         print self._testMethodName
559         test_number = self._testMethodName[5:]
560         self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
561
562     def test_100(self):
563         """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
564         """
565         user_name = "testuser1"
566         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
567         # Open Ldb connection with the tested user
568         _ldb = self.get_ldb_connection(user_name, "samba123@")
569         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
570         self.delete_force(self.ldb_admin, object_dn)
571         self.create_domain_group(_ldb, object_dn)
572         desc_sddl = self.get_desc_sddl(object_dn)
573         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
574         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
575         self.check_modify_inheritance(_ldb, object_dn)
576
577     def test_101(self):
578         """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
579         """
580         user_name = "testuser2"
581         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
582         # Open Ldb connection with the tested user
583         _ldb = self.get_ldb_connection(user_name, "samba123@")
584         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
585         self.delete_force(self.ldb_admin, object_dn)
586         self.create_domain_group(_ldb, object_dn)
587         desc_sddl = self.get_desc_sddl(object_dn)
588         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
589         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
590         self.check_modify_inheritance(_ldb, object_dn)
591
592     def test_102(self):
593         """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
594         """
595         user_name = "testuser3"
596         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
597         # Open Ldb connection with the tested user
598         _ldb = self.get_ldb_connection(user_name, "samba123@")
599         object_dn = "OU=test_domain_ou1," + self.base_dn
600         self.delete_force(self.ldb_admin, object_dn)
601         self.create_domain_ou(self.ldb_admin, object_dn)
602         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
603         mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
604         self.dacl_add_ace(object_dn, mod)
605         # Create additional object into the first one
606         object_dn = "CN=test_domain_user1," + object_dn
607         self.delete_force(self.ldb_admin, object_dn)
608         self.create_domain_user(_ldb, object_dn)
609         desc_sddl = self.get_desc_sddl(object_dn)
610         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
611         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
612         # This fails, research why
613         #self.check_modify_inheritance(_ldb, object_dn)
614
615     def test_103(self):
616         """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
617         """
618         user_name = "testuser4"
619         self.check_user_belongs(self.get_users_domain_dn(user_name), [])
620         # Open Ldb connection with the tested user
621         _ldb = self.get_ldb_connection(user_name, "samba123@")
622         object_dn = "OU=test_domain_ou1," + self.base_dn
623         self.delete_force(self.ldb_admin, object_dn)
624         self.create_domain_ou(self.ldb_admin, object_dn)
625         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
626         mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
627         self.dacl_add_ace(object_dn, mod)
628         # Create additional object into the first one
629         object_dn = "CN=test_domain_user1," + object_dn
630         self.delete_force(self.ldb_admin, object_dn)
631         self.create_domain_user(_ldb, object_dn)
632         desc_sddl = self.get_desc_sddl(object_dn)
633         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
634         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
635         #this fails, research why
636         #self.check_modify_inheritance(_ldb, object_dn)
637
638     def test_104(self):
639         """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
640         """
641         user_name = "testuser5"
642         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
643         # Open Ldb connection with the tested user
644         _ldb = self.get_ldb_connection(user_name, "samba123@")
645         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
646         self.delete_force(self.ldb_admin, object_dn)
647         self.create_domain_group(_ldb, object_dn)
648         desc_sddl = self.get_desc_sddl(object_dn)
649         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
650         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
651         self.check_modify_inheritance(_ldb, object_dn)
652
653     def test_105(self):
654         """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
655         """
656         user_name = "testuser6"
657         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
658         # Open Ldb connection with the tested user
659         _ldb = self.get_ldb_connection(user_name, "samba123@")
660         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
661         self.delete_force(self.ldb_admin, object_dn)
662         self.create_domain_group(_ldb, object_dn)
663         desc_sddl = self.get_desc_sddl(object_dn)
664         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
665         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
666         self.check_modify_inheritance(_ldb, object_dn)
667
668     def test_106(self):
669         """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
670         """
671         user_name = "testuser7"
672         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
673         # Open Ldb connection with the tested user
674         _ldb = self.get_ldb_connection(user_name, "samba123@")
675         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
676         self.delete_force(self.ldb_admin, object_dn)
677         self.create_domain_group(_ldb, object_dn)
678         desc_sddl = self.get_desc_sddl(object_dn)
679         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
680         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
681         self.check_modify_inheritance(_ldb, object_dn)
682
683     def test_107(self):
684         """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
685         """
686         user_name = "testuser8"
687         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
688         # Open Ldb connection with the tested user
689         _ldb = self.get_ldb_connection(user_name, "samba123@")
690         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
691         self.delete_force(self.ldb_admin, object_dn)
692         self.create_domain_group(_ldb, object_dn)
693         desc_sddl = self.get_desc_sddl(object_dn)
694         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
695         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
696         self.check_modify_inheritance(_ldb, object_dn)
697
698     # Control descriptor tests #####################################################################
699
700     def test_108(self):
701         """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
702         """
703         user_name = "testuser1"
704         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
705         # Open Ldb connection with the tested user
706         _ldb = self.get_ldb_connection(user_name, "samba123@")
707         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
708         self.delete_force(self.ldb_admin, object_dn)
709         # Create a custom security descriptor
710         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
711         self.create_domain_group(_ldb, object_dn, desc_sddl)
712         desc_sddl = self.get_desc_sddl(object_dn)
713         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
714         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
715
716     def test_109(self):
717         """ Domain admin group member creates object (custom descriptor) in DOMAIN
718         """
719         user_name = "testuser2"
720         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
721         # Open Ldb connection with the tested user
722         _ldb = self.get_ldb_connection(user_name, "samba123@")
723         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
724         self.delete_force(self.ldb_admin, object_dn)
725         # Create a custom security descriptor
726         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
727         self.create_domain_group(_ldb, object_dn, desc_sddl)
728         desc_sddl = self.get_desc_sddl(object_dn)
729         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
730         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
731
732     def test_110(self):
733         """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
734         """
735         user_name = "testuser3"
736         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
737         # Open Ldb connection with the tested user
738         _ldb = self.get_ldb_connection(user_name, "samba123@")
739         object_dn = "OU=test_domain_ou1," + self.base_dn
740         self.delete_force(self.ldb_admin, object_dn)
741         self.create_domain_ou(self.ldb_admin, object_dn)
742         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
743         mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
744         self.dacl_add_ace(object_dn, mod)
745         # Create a custom security descriptor
746         # NB! Problematic owner part won't accept DA only <User Sid> !!!
747         desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
748         # Create additional object into the first one
749         object_dn = "CN=test_domain_user1," + object_dn
750         self.delete_force(self.ldb_admin, object_dn)
751         self.create_domain_user(_ldb, object_dn, desc_sddl)
752         desc = self.read_desc(object_dn)
753         desc_sddl = self.get_desc_sddl(object_dn)
754         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
755         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
756
757     def test_111(self):
758         """ Regular user with CC right creates object (custom descriptor) in DOMAIN
759         """
760         user_name = "testuser4"
761         self.check_user_belongs(self.get_users_domain_dn(user_name), [])
762         # Open Ldb connection with the tested user
763         _ldb = self.get_ldb_connection(user_name, "samba123@")
764         object_dn = "OU=test_domain_ou1," + self.base_dn
765         self.delete_force(self.ldb_admin, object_dn)
766         self.create_domain_ou(self.ldb_admin, object_dn)
767         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
768         mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
769         self.dacl_add_ace(object_dn, mod)
770         # Create a custom security descriptor
771         # NB! Problematic owner part won't accept DA only <User Sid> !!!
772         desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
773         # Create additional object into the first one
774         object_dn = "CN=test_domain_user1," + object_dn
775         self.delete_force(self.ldb_admin, object_dn)
776         self.create_domain_user(_ldb, object_dn, desc_sddl)
777         desc = self.read_desc(object_dn)
778         desc_sddl = self.get_desc_sddl(object_dn)
779         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
780         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
781
782     def test_112(self):
783         """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
784         """
785         user_name = "testuser5"
786         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
787         # Open Ldb connection with the tested user
788         _ldb = self.get_ldb_connection(user_name, "samba123@")
789         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
790         self.delete_force(self.ldb_admin, object_dn)
791         # Create a custom security descriptor
792         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
793         self.create_domain_group(_ldb, object_dn, desc_sddl)
794         desc_sddl = self.get_desc_sddl(object_dn)
795         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
796         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
797
798     def test_113(self):
799         """ Domain & Enterprise & Schema admin group  member creates object (custom descriptor) in DOMAIN
800         """
801         user_name = "testuser6"
802         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
803         # Open Ldb connection with the tested user
804         _ldb = self.get_ldb_connection(user_name, "samba123@")
805         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
806         self.delete_force(self.ldb_admin, object_dn)
807         # Create a custom security descriptor
808         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
809         self.create_domain_group(_ldb, object_dn, desc_sddl)
810         desc_sddl = self.get_desc_sddl(object_dn)
811         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
812         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
813
814     def test_114(self):
815         """ Domain & Schema admin group  member creates object (custom descriptor) in DOMAIN
816         """
817         user_name = "testuser7"
818         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
819         # Open Ldb connection with the tested user
820         _ldb = self.get_ldb_connection(user_name, "samba123@")
821         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
822         self.delete_force(self.ldb_admin, object_dn)
823         # Create a custom security descriptor
824         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
825         self.create_domain_group(_ldb, object_dn, desc_sddl)
826         desc_sddl = self.get_desc_sddl(object_dn)
827         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
828         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
829
830     def test_115(self):
831         """ Enterprise & Schema admin group  member creates object (custom descriptor) in DOMAIN
832         """
833         user_name = "testuser8"
834         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
835         # Open Ldb connection with the tested user
836         _ldb = self.get_ldb_connection(user_name, "samba123@")
837         object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
838         self.delete_force(self.ldb_admin, object_dn)
839         # Create a custom security descriptor
840         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
841         self.create_domain_group(_ldb, object_dn, desc_sddl)
842         desc_sddl = self.get_desc_sddl(object_dn)
843         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
844         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
845
846     def test_999(self):
847         user_name = "Administrator"
848         object_dn = "OU=test_domain_ou1," + self.base_dn
849         self.delete_force(self.ldb_admin, object_dn)
850         self.create_domain_ou(self.ldb_admin, object_dn)
851         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
852         mod = "(D;CI;WP;;;S-1-3-0)"
853         #mod = ""
854         self.dacl_add_ace(object_dn, mod)
855         desc_sddl = self.get_desc_sddl(object_dn)
856         # Create additional object into the first one
857         object_dn = "OU=test_domain_ou2," + object_dn
858         self.delete_force(self.ldb_admin, object_dn)
859         self.create_domain_ou(self.ldb_admin, object_dn)
860         desc_sddl = self.get_desc_sddl(object_dn)
861
862     ## Tests for SCHEMA
863
864     # Defalt descriptor tests ##################################################################
865
866     def test_130(self):
867         user_name = "testuser1"
868         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
869         # Open Ldb connection with the tested user
870         _ldb = self.get_ldb_connection(user_name, "samba123@")
871         # Change Schema partition descriptor
872         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
873         mod = "(A;;WDCC;;;AU)"
874         self.dacl_add_ace(self.schema_dn, mod)
875         # Create example Schema class
876         class_name = self.get_unique_schema_class_name()
877         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
878         self.create_schema_class(_ldb, class_dn)
879         desc_sddl = self.get_desc_sddl(class_dn)
880         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
881         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
882         self.check_modify_inheritance(_ldb, class_dn)
883
884     def test_131(self):
885         user_name = "testuser2"
886         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
887         # Open Ldb connection with the tested user
888         _ldb = self.get_ldb_connection(user_name, "samba123@")
889         # Change Schema partition descriptor
890         mod = "(A;CI;WDCC;;;AU)"
891         self.dacl_add_ace(self.schema_dn, mod)
892         # Create example Schema class
893         class_name = self.get_unique_schema_class_name()
894         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
895         self.create_schema_class(_ldb, class_dn)
896         desc_sddl = self.get_desc_sddl(class_dn)
897         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
898         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
899         self.check_modify_inheritance(_ldb, class_dn)
900
901     def test_132(self):
902         user_name = "testuser3"
903         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
904         # Open Ldb connection with the tested user
905         _ldb = self.get_ldb_connection(user_name, "samba123@")
906         # Change Schema partition descriptor
907         mod = "(A;CI;WDCC;;;AU)"
908         self.dacl_add_ace(self.schema_dn, mod)
909         # Create example Schema class
910         class_name = self.get_unique_schema_class_name()
911         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
912         self.create_schema_class(_ldb, class_dn)
913         desc_sddl = self.get_desc_sddl(class_dn)
914         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
915         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
916         #self.check_modify_inheritance(_ldb, class_dn)
917
918     def test_133(self):
919         user_name = "testuser4"
920         self.check_user_belongs(self.get_users_domain_dn(user_name), [])
921         # Open Ldb connection with the tested user
922         _ldb = self.get_ldb_connection(user_name, "samba123@")
923         #Change Schema partition descriptor
924         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
925         mod = "(A;CI;WDCC;;;AU)"
926         self.dacl_add_ace(self.schema_dn, mod)
927         # Create example Schema class
928         class_name = self.get_unique_schema_class_name()
929         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
930         self.create_schema_class(_ldb, class_dn)
931         desc_sddl = self.get_desc_sddl(class_dn)
932         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
933         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
934         #self.check_modify_inheritance(_ldb, class_dn)
935
936     def test_134(self):
937         user_name = "testuser5"
938         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
939         # Open Ldb connection with the tested user
940         _ldb = self.get_ldb_connection(user_name, "samba123@")
941         #Change Schema partition descriptor
942         mod = "(A;CI;WDCC;;;AU)"
943         self.dacl_add_ace(self.schema_dn, mod)
944         # Create example Schema class
945         class_name = self.get_unique_schema_class_name()
946         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
947         self.create_schema_class(_ldb, class_dn)
948         desc_sddl = self.get_desc_sddl(class_dn)
949         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
950         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
951         self.check_modify_inheritance(_ldb, class_dn)
952
953     def test_135(self):
954         user_name = "testuser6"
955         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
956         # Open Ldb connection with the tested user
957         _ldb = self.get_ldb_connection(user_name, "samba123@")
958         # Change Schema partition descriptor
959         mod = "(A;CI;WDCC;;;AU)"
960         self.dacl_add_ace(self.schema_dn, mod)
961         # Create example Schema class
962         class_name = self.get_unique_schema_class_name()
963         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
964         self.create_schema_class(_ldb, class_dn)
965         desc_sddl = self.get_desc_sddl(class_dn)
966         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
967         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
968         self.check_modify_inheritance(_ldb, class_dn)
969
970     def test_136(self):
971         user_name = "testuser7"
972         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
973         # Open Ldb connection with the tested user
974         _ldb = self.get_ldb_connection(user_name, "samba123@")
975         # Change Schema partition descriptor
976         mod = "(A;CI;WDCC;;;AU)"
977         self.dacl_add_ace(self.schema_dn, mod)
978         # Create example Schema class
979         class_name = self.get_unique_schema_class_name()
980         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
981         self.create_schema_class(_ldb, class_dn)
982         desc_sddl = self.get_desc_sddl(class_dn)
983         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
984         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
985         self.check_modify_inheritance(_ldb, class_dn)
986
987     def test_137(self):
988         user_name = "testuser8"
989         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
990         # Open Ldb connection with the tested user
991         _ldb = self.get_ldb_connection(user_name, "samba123@")
992         # Change Schema partition descriptor
993         mod = "(A;CI;WDCC;;;AU)"
994         self.dacl_add_ace(self.schema_dn, mod)
995         # Create example Schema class
996         class_name = self.get_unique_schema_class_name()
997         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
998         self.create_schema_class(_ldb, class_dn)
999         desc_sddl = self.get_desc_sddl(class_dn)
1000         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1001         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1002         self.check_modify_inheritance(_ldb, class_dn)
1003
1004     # Custom descriptor tests ##################################################################
1005
1006     def test_138(self):
1007         user_name = "testuser1"
1008         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1009         # Open Ldb connection with the tested user
1010         _ldb = self.get_ldb_connection(user_name, "samba123@")
1011         # Change Schema partition descriptor
1012         mod = "(A;;CC;;;AU)"
1013         self.dacl_add_ace(self.schema_dn, mod)
1014         # Create a custom security descriptor
1015         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1016         # Create example Schema class
1017         class_name = self.get_unique_schema_class_name()
1018         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1019         self.create_schema_class(_ldb, class_dn, desc_sddl)
1020         desc_sddl = self.get_desc_sddl(class_dn)
1021         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1022         self.assertEqual("O:DAG:DA", res)
1023
1024     def test_139(self):
1025         user_name = "testuser2"
1026         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1027         # Open Ldb connection with the tested user
1028         _ldb = self.get_ldb_connection(user_name, "samba123@")
1029         # Change Schema partition descriptor
1030         mod = "(A;;CC;;;AU)"
1031         self.dacl_add_ace(self.schema_dn, mod)
1032         # Create a custom security descriptor
1033         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1034         # Create example Schema class
1035         class_name = self.get_unique_schema_class_name()
1036         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1037         self.create_schema_class(_ldb, class_dn, desc_sddl)
1038         desc_sddl = self.get_desc_sddl(class_dn)
1039         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1040         self.assertEqual("O:DAG:DA", res)
1041
1042     def test_140(self):
1043         user_name = "testuser3"
1044         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1045         # Open Ldb connection with the tested user
1046         _ldb = self.get_ldb_connection(user_name, "samba123@")
1047         # Create a custom security descriptor
1048         # NB! Problematic owner part won't accept DA only <User Sid> !!!
1049         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1050         desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1051         # Create example Schema class
1052         class_name = self.get_unique_schema_class_name()
1053         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1054         self.create_schema_class(_ldb, class_dn, desc_sddl)
1055         desc_sddl = self.get_desc_sddl(class_dn)
1056         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1057         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1058
1059     def test_141(self):
1060         user_name = "testuser4"
1061         self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1062         # Open Ldb connection with the tested user
1063         _ldb = self.get_ldb_connection(user_name, "samba123@")
1064         # Create a custom security descriptor
1065         # NB! Problematic owner part won't accept DA only <User Sid> !!!
1066         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1067         desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1068         # Create example Schema class
1069         class_name = self.get_unique_schema_class_name()
1070         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1071         self.create_schema_class(_ldb, class_dn, desc_sddl)
1072         desc_sddl = self.get_desc_sddl(class_dn)
1073         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1074         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1075
1076     def test_142(self):
1077         user_name = "testuser5"
1078         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1079         # Open Ldb connection with the tested user
1080         _ldb = self.get_ldb_connection(user_name, "samba123@")
1081         # Change Schema partition descriptor
1082         mod = "(A;;CC;;;AU)"
1083         self.dacl_add_ace(self.schema_dn, mod)
1084         # Create a custom security descriptor
1085         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1086         # Create example Schema class
1087         class_name = self.get_unique_schema_class_name()
1088         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1089         self.create_schema_class(_ldb, class_dn, desc_sddl)
1090         desc_sddl = self.get_desc_sddl(class_dn)
1091         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1092         self.assertEqual("O:DAG:DA", res)
1093
1094     def test_143(self):
1095         user_name = "testuser6"
1096         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1097         # Open Ldb connection with the tested user
1098         _ldb = self.get_ldb_connection(user_name, "samba123@")
1099         # Change Schema partition descriptor
1100         mod = "(A;;CC;;;AU)"
1101         self.dacl_add_ace(self.schema_dn, mod)
1102         # Create a custom security descriptor
1103         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1104         # Create example Schema class
1105         class_name = self.get_unique_schema_class_name()
1106         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1107         self.create_schema_class(_ldb, class_dn, desc_sddl)
1108         desc_sddl = self.get_desc_sddl(class_dn)
1109         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1110         self.assertEqual("O:DAG:DA", res)
1111
1112     def test_144(self):
1113         user_name = "testuser7"
1114         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1115         # Open Ldb connection with the tested user
1116         _ldb = self.get_ldb_connection(user_name, "samba123@")
1117         # Change Schema partition descriptor
1118         mod = "(A;;CC;;;AU)"
1119         self.dacl_add_ace(self.schema_dn, mod)
1120         # Create a custom security descriptor
1121         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1122         # Create example Schema class
1123         class_name = self.get_unique_schema_class_name()
1124         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1125         self.create_schema_class(_ldb, class_dn, desc_sddl)
1126         desc_sddl = self.get_desc_sddl(class_dn)
1127         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1128         self.assertEqual("O:DAG:DA", res)
1129
1130     def test_145(self):
1131         user_name = "testuser8"
1132         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1133         # Open Ldb connection with the tested user
1134         _ldb = self.get_ldb_connection(user_name, "samba123@")
1135         # Change Schema partition descriptor
1136         mod = "(A;;CC;;;AU)"
1137         self.dacl_add_ace(self.schema_dn, mod)
1138         # Create a custom security descriptor
1139         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1140         # Create example Schema class
1141         class_name = self.get_unique_schema_class_name()
1142         class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1143         self.create_schema_class(_ldb, class_dn, desc_sddl)
1144         desc_sddl = self.get_desc_sddl(class_dn)
1145         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1146         self.assertEqual("O:DAG:DA", res)
1147
1148     ## Tests for CONFIGURATION
1149
1150     # Defalt descriptor tests ##################################################################
1151
1152     def test_160(self):
1153         user_name = "testuser1"
1154         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1155         # Open Ldb connection with the tested user
1156         _ldb = self.get_ldb_connection(user_name, "samba123@")
1157         # Create example Configuration container
1158         container_name = "test-container1"
1159         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1160         self.delete_force(self.ldb_admin, object_dn)
1161         self.create_configuration_container(_ldb, object_dn, )
1162         desc_sddl = self.get_desc_sddl(object_dn)
1163         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1164         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1165         self.check_modify_inheritance(_ldb, object_dn)
1166
1167     def test_161(self):
1168         user_name = "testuser2"
1169         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1170         # Open Ldb connection with the tested user
1171         _ldb = self.get_ldb_connection(user_name, "samba123@")
1172         # Create example Configuration container
1173         container_name = "test-container1"
1174         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1175         self.delete_force(self.ldb_admin, object_dn)
1176         self.create_configuration_container(_ldb, object_dn, )
1177         desc_sddl = self.get_desc_sddl(object_dn)
1178         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1179         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1180         self.check_modify_inheritance(_ldb, object_dn)
1181
1182     def test_162(self):
1183         user_name = "testuser3"
1184         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1185         # Open Ldb connection with the tested user
1186         _ldb = self.get_ldb_connection(user_name, "samba123@")
1187         # Create example Configuration container
1188         object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1189         self.delete_force(self.ldb_admin, object_dn)
1190         self.create_configuration_container(self.ldb_admin, object_dn, )
1191         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1192         mod = "(A;;WDCC;;;AU)"
1193         self.dacl_add_ace(object_dn, mod)
1194         # Create child object with user's credentials
1195         object_dn = "CN=test-specifier1," + object_dn
1196         self.delete_force(self.ldb_admin, object_dn)
1197         self.create_configuration_specifier(_ldb, object_dn)
1198         desc_sddl = self.get_desc_sddl(object_dn)
1199         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1200         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1201         #self.check_modify_inheritance(_ldb, object_dn)
1202
1203     def test_163(self):
1204         user_name = "testuser4"
1205         self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1206         # Open Ldb connection with the tested user
1207         _ldb = self.get_ldb_connection(user_name, "samba123@")
1208         # Create example Configuration container
1209         object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1210         self.delete_force(self.ldb_admin, object_dn)
1211         self.create_configuration_container(self.ldb_admin, object_dn, )
1212         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1213         mod = "(A;CI;WDCC;;;AU)"
1214         self.dacl_add_ace(object_dn, mod)
1215         # Create child object with user's credentials
1216         object_dn = "CN=test-specifier1," + object_dn
1217         self.delete_force(self.ldb_admin, object_dn)
1218         self.create_configuration_specifier(_ldb, object_dn)
1219         desc_sddl = self.get_desc_sddl(object_dn)
1220         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1221         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1222         #self.check_modify_inheritance(_ldb, object_dn)
1223
1224     def test_164(self):
1225         user_name = "testuser5"
1226         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1227         # Open Ldb connection with the tested user
1228         _ldb = self.get_ldb_connection(user_name, "samba123@")
1229         # Create example Configuration container
1230         container_name = "test-container1"
1231         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1232         self.delete_force(self.ldb_admin, object_dn)
1233         self.create_configuration_container(_ldb, object_dn, )
1234         desc_sddl = self.get_desc_sddl(object_dn)
1235         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1236         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1237         self.check_modify_inheritance(_ldb, object_dn)
1238
1239     def test_165(self):
1240         user_name = "testuser6"
1241         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1242         # Open Ldb connection with the tested user
1243         _ldb = self.get_ldb_connection(user_name, "samba123@")
1244         # Create example Configuration container
1245         container_name = "test-container1"
1246         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1247         self.delete_force(self.ldb_admin, object_dn)
1248         self.create_configuration_container(_ldb, object_dn, )
1249         desc_sddl = self.get_desc_sddl(object_dn)
1250         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1251         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1252         self.check_modify_inheritance(_ldb, object_dn)
1253
1254     def test_166(self):
1255         user_name = "testuser7"
1256         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1257         # Open Ldb connection with the tested user
1258         _ldb = self.get_ldb_connection(user_name, "samba123@")
1259         # Create example Configuration container
1260         container_name = "test-container1"
1261         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1262         self.delete_force(self.ldb_admin, object_dn)
1263         self.create_configuration_container(_ldb, object_dn, )
1264         desc_sddl = self.get_desc_sddl(object_dn)
1265         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1266         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1267         self.check_modify_inheritance(_ldb, object_dn)
1268
1269     def test_167(self):
1270         user_name = "testuser8"
1271         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1272         # Open Ldb connection with the tested user
1273         _ldb = self.get_ldb_connection(user_name, "samba123@")
1274         # Create example Configuration container
1275         container_name = "test-container1"
1276         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1277         self.delete_force(self.ldb_admin, object_dn)
1278         self.create_configuration_container(_ldb, object_dn, )
1279         desc_sddl = self.get_desc_sddl(object_dn)
1280         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1281         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1282         self.check_modify_inheritance(_ldb, object_dn)
1283
1284     # Custom descriptor tests ##################################################################
1285
1286     def test_168(self):
1287         user_name = "testuser1"
1288         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1289         # Open Ldb connection with the tested user
1290         _ldb = self.get_ldb_connection(user_name, "samba123@")
1291         # Create example Configuration container
1292         container_name = "test-container1"
1293         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1294         self.delete_force(self.ldb_admin, object_dn)
1295         # Create a custom security descriptor
1296         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1297         self.create_configuration_container(_ldb, object_dn, desc_sddl)
1298         desc_sddl = self.get_desc_sddl(object_dn)
1299         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1300         self.assertEqual("O:DAG:DA", res)
1301
1302     def test_169(self):
1303         user_name = "testuser2"
1304         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1305         # Open Ldb connection with the tested user
1306         _ldb = self.get_ldb_connection(user_name, "samba123@")
1307         # Create example Configuration container
1308         container_name = "test-container1"
1309         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1310         self.delete_force(self.ldb_admin, object_dn)
1311         # Create a custom security descriptor
1312         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1313         self.create_configuration_container(_ldb, object_dn, desc_sddl)
1314         desc_sddl = self.get_desc_sddl(object_dn)
1315         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1316         self.assertEqual("O:DAG:DA", res)
1317
1318     def test_170(self):
1319         user_name = "testuser3"
1320         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1321         # Open Ldb connection with the tested user
1322         _ldb = self.get_ldb_connection(user_name, "samba123@")
1323         # Create example Configuration container
1324         object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1325         self.delete_force(self.ldb_admin, object_dn)
1326         self.create_configuration_container(self.ldb_admin, object_dn, )
1327         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1328         mod = "(A;;CC;;;AU)"
1329         self.dacl_add_ace(object_dn, mod)
1330         # Create child object with user's credentials
1331         object_dn = "CN=test-specifier1," + object_dn
1332         self.delete_force(self.ldb_admin, object_dn)
1333         # Create a custom security descriptor
1334         # NB! Problematic owner part won't accept DA only <User Sid> !!!
1335         desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1336         self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1337         desc_sddl = self.get_desc_sddl(object_dn)
1338         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1339         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1340
1341     def test_171(self):
1342         user_name = "testuser4"
1343         self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1344         # Open Ldb connection with the tested user
1345         _ldb = self.get_ldb_connection(user_name, "samba123@")
1346         # Create example Configuration container
1347         object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1348         self.delete_force(self.ldb_admin, object_dn)
1349         self.create_configuration_container(self.ldb_admin, object_dn, )
1350         user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1351         mod = "(A;;CC;;;AU)"
1352         self.dacl_add_ace(object_dn, mod)
1353         # Create child object with user's credentials
1354         object_dn = "CN=test-specifier1," + object_dn
1355         self.delete_force(self.ldb_admin, object_dn)
1356         # Create a custom security descriptor
1357         # NB! Problematic owner part won't accept DA only <User Sid> !!!
1358         desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1359         self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1360         desc_sddl = self.get_desc_sddl(object_dn)
1361         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1362         self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1363
1364     def test_172(self):
1365         user_name = "testuser5"
1366         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1367         # Open Ldb connection with the tested user
1368         _ldb = self.get_ldb_connection(user_name, "samba123@")
1369         # Create example Configuration container
1370         container_name = "test-container1"
1371         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1372         self.delete_force(self.ldb_admin, object_dn)
1373         # Create a custom security descriptor
1374         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1375         self.create_configuration_container(_ldb, object_dn, desc_sddl)
1376         desc_sddl = self.get_desc_sddl(object_dn)
1377         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1378         self.assertEqual("O:DAG:DA", res)
1379
1380     def test_173(self):
1381         user_name = "testuser6"
1382         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1383         # Open Ldb connection with the tested user
1384         _ldb = self.get_ldb_connection(user_name, "samba123@")
1385         # Create example Configuration container
1386         container_name = "test-container1"
1387         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1388         self.delete_force(self.ldb_admin, object_dn)
1389         # Create a custom security descriptor
1390         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1391         self.create_configuration_container(_ldb, object_dn, desc_sddl)
1392         desc_sddl = self.get_desc_sddl(object_dn)
1393         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1394         self.assertEqual("O:DAG:DA", res)
1395
1396     def test_174(self):
1397         user_name = "testuser7"
1398         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1399         # Open Ldb connection with the tested user
1400         _ldb = self.get_ldb_connection(user_name, "samba123@")
1401         # Create example Configuration container
1402         container_name = "test-container1"
1403         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1404         self.delete_force(self.ldb_admin, object_dn)
1405         # Create a custom security descriptor
1406         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1407         self.create_configuration_container(_ldb, object_dn, desc_sddl)
1408         desc_sddl = self.get_desc_sddl(object_dn)
1409         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1410         self.assertEqual("O:DAG:DA", res)
1411
1412     def test_175(self):
1413         user_name = "testuser8"
1414         self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1415         # Open Ldb connection with the tested user
1416         _ldb = self.get_ldb_connection(user_name, "samba123@")
1417         # Create example Configuration container
1418         container_name = "test-container1"
1419         object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1420         self.delete_force(self.ldb_admin, object_dn)
1421         # Create a custom security descriptor
1422         desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1423         self.create_configuration_container(_ldb, object_dn, desc_sddl)
1424         desc_sddl = self.get_desc_sddl(object_dn)
1425         res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1426         self.assertEqual("O:DAG:DA", res)
1427
1428     ########################################################################################
1429     # Inharitance tests for DACL
1430
1431 class DaclDescriptorTests(DescriptorTests):
1432
1433     def deleteAll(self):
1434         self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1435         self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1436
1437     def setUp(self):
1438         DescriptorTests.setUp(self)
1439         self.deleteAll()
1440
1441     def tearDown(self):
1442         self.deleteAll()
1443
1444     def create_clean_ou(self, object_dn):
1445         """ Base repeating setup for unittests to follow """
1446         res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1447                 expression="distinguishedName=%s" % object_dn)
1448         # Make sure top testing OU has been deleted before starting the test
1449         self.assertEqual(res, [])
1450         self.create_domain_ou(self.ldb_admin, object_dn)
1451         desc_sddl = self.get_desc_sddl(object_dn)
1452         # Make sure there are inheritable ACEs initially
1453         self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1454         # Find and remove all inherit ACEs
1455         res = re.findall("\(.*?\)", desc_sddl)
1456         res = [x for x in res if ("CI" in x) or ("OI" in x)]
1457         for x in res:
1458             desc_sddl = desc_sddl.replace(x, "")
1459         # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1460         # can propagate from above
1461         # remove SACL, we are not interested
1462         desc_sddl = desc_sddl.replace(":AI", ":AIP")
1463         self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1464         # Verify all inheritable ACEs are gone
1465         desc_sddl = self.get_desc_sddl(object_dn)
1466         self.assertFalse("CI" in desc_sddl)
1467         self.assertFalse("OI" in desc_sddl)
1468
1469     def test_200(self):
1470         """ OU with protected flag and child group. See if the group has inherit ACEs.
1471         """
1472         ou_dn = "OU=test_inherit_ou," + self.base_dn
1473         group_dn = "CN=test_inherit_group," + ou_dn
1474         # Create inheritable-free OU
1475         self.create_clean_ou(ou_dn)
1476         # Create group child object
1477         self.create_domain_group(self.ldb_admin, group_dn)
1478         # Make sure created group object contains NO inherit ACEs
1479         desc_sddl = self.get_desc_sddl(group_dn)
1480         self.assertFalse("ID" in desc_sddl)
1481
1482     def test_201(self):
1483         """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1484             Verify group has custom and default ACEs only.
1485         """
1486         ou_dn = "OU=test_inherit_ou," + self.base_dn
1487         group_dn = "CN=test_inherit_group," + ou_dn
1488         # Create inheritable-free OU
1489         self.create_clean_ou(ou_dn)
1490         # Create group child object using custom security descriptor
1491         sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1492         self.create_domain_group(self.ldb_admin, group_dn, sddl)
1493         # Make sure created group descriptor has NO additional ACEs
1494         desc_sddl = self.get_desc_sddl(group_dn)
1495         self.assertEqual(desc_sddl, sddl)
1496         sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1497         self.modify_desc(self.ldb_admin, group_dn, sddl)
1498         desc_sddl = self.get_desc_sddl(group_dn)
1499         self.assertEqual(desc_sddl, sddl)
1500
1501     def test_202(self):
1502         """ OU with protected flag and add couple non-inheritable ACEs, child group.
1503             See if the group has any of the added ACEs.
1504         """
1505         ou_dn = "OU=test_inherit_ou," + self.base_dn
1506         group_dn = "CN=test_inherit_group," + ou_dn
1507         # Create inheritable-free OU
1508         self.create_clean_ou(ou_dn)
1509         # Add some custom non-inheritable ACEs
1510         mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1511         moded = "(D;;CC;;;LG)"
1512         self.dacl_add_ace(ou_dn, mod)
1513         # Verify all inheritable ACEs are gone
1514         desc_sddl = self.get_desc_sddl(ou_dn)
1515         # Create group child object
1516         self.create_domain_group(self.ldb_admin, group_dn)
1517         # Make sure created group object contains NO inherit ACEs
1518         # also make sure the added above non-inheritable ACEs are absent too
1519         desc_sddl = self.get_desc_sddl(group_dn)
1520         self.assertFalse("ID" in desc_sddl)
1521         for x in re.findall("\(.*?\)", mod):
1522             self.assertFalse(x in desc_sddl)
1523         self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1524         desc_sddl = self.get_desc_sddl(group_dn)
1525         self.assertFalse("ID" in desc_sddl)
1526         for x in re.findall("\(.*?\)", mod):
1527             self.assertFalse(x in desc_sddl)
1528
1529     def test_203(self):
1530         """ OU with protected flag and add 'CI' ACE, child group.
1531             See if the group has the added inherited ACE.
1532         """
1533         ou_dn = "OU=test_inherit_ou," + self.base_dn
1534         group_dn = "CN=test_inherit_group," + ou_dn
1535         # Create inheritable-free OU
1536         self.create_clean_ou(ou_dn)
1537         # Add some custom 'CI' ACE
1538         mod = "(D;CI;WP;;;DU)"
1539         moded = "(D;;CC;;;LG)"
1540         self.dacl_add_ace(ou_dn, mod)
1541         desc_sddl = self.get_desc_sddl(ou_dn)
1542         # Create group child object
1543         self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1544         # Make sure created group object contains only the above inherited ACE
1545         # that we've added manually
1546         desc_sddl = self.get_desc_sddl(group_dn)
1547         mod = mod.replace(";CI;", ";CIID;")
1548         self.assertTrue(mod in desc_sddl)
1549         self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1550         desc_sddl = self.get_desc_sddl(group_dn)
1551         self.assertTrue(moded in desc_sddl)
1552         self.assertTrue(mod in desc_sddl)
1553
1554     def test_204(self):
1555         """ OU with protected flag and add 'OI' ACE, child group.
1556             See if the group has the added inherited ACE.
1557         """
1558         ou_dn = "OU=test_inherit_ou," + self.base_dn
1559         group_dn = "CN=test_inherit_group," + ou_dn
1560         # Create inheritable-free OU
1561         self.create_clean_ou(ou_dn)
1562         # Add some custom 'CI' ACE
1563         mod = "(D;OI;WP;;;DU)"
1564         moded = "(D;;CC;;;LG)"
1565         self.dacl_add_ace(ou_dn, mod)
1566         desc_sddl = self.get_desc_sddl(ou_dn)
1567         # Create group child object
1568         self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1569         # Make sure created group object contains only the above inherited ACE
1570         # that we've added manually
1571         desc_sddl = self.get_desc_sddl(group_dn)
1572         mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1573         self.assertTrue(mod in desc_sddl)
1574         self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1575         desc_sddl = self.get_desc_sddl(group_dn)
1576         self.assertTrue(moded in desc_sddl)
1577         self.assertTrue(mod in desc_sddl)
1578
1579     def test_205(self):
1580         """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1581             See if the group has the added inherited ACE.
1582         """
1583         ou_dn = "OU=test_inherit_ou," + self.base_dn
1584         group_dn = "CN=test_inherit_group," + ou_dn
1585         # Create inheritable-free OU
1586         self.create_clean_ou(ou_dn)
1587         # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1588         mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1589         moded = "(D;;CC;;;LG)"
1590         self.dacl_add_ace(ou_dn, mod)
1591         desc_sddl = self.get_desc_sddl(ou_dn)
1592         # Create group child object
1593         self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1594         # Make sure created group object contains only the above inherited ACE
1595         # that we've added manually
1596         desc_sddl = self.get_desc_sddl(group_dn)
1597         mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1598         self.assertTrue(mod in desc_sddl)
1599         self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1600         desc_sddl = self.get_desc_sddl(group_dn)
1601         self.assertTrue(moded in desc_sddl)
1602         self.assertTrue(mod in desc_sddl)
1603
1604     def test_206(self):
1605         """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1606             See if the group has the added inherited ACE.
1607         """
1608         ou_dn = "OU=test_inherit_ou," + self.base_dn
1609         group_dn = "CN=test_inherit_group," + ou_dn
1610         # Create inheritable-free OU
1611         self.create_clean_ou(ou_dn)
1612         # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1613         mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1614         moded = "(D;;CC;;;LG)"
1615         self.dacl_add_ace(ou_dn, mod)
1616         desc_sddl = self.get_desc_sddl(ou_dn)
1617         # Create group child object
1618         self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1619         # Make sure created group object contains only the above inherited ACE
1620         # that we've added manually
1621         desc_sddl = self.get_desc_sddl(group_dn)
1622         mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1623         self.assertTrue(mod in desc_sddl)
1624         self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1625         desc_sddl = self.get_desc_sddl(group_dn)
1626         self.assertTrue(moded in desc_sddl)
1627         self.assertTrue(mod in desc_sddl)
1628
1629     def test_207(self):
1630         """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1631             See if the group has the added inherited ACE.
1632         """
1633         ou_dn = "OU=test_inherit_ou," + self.base_dn
1634         group_dn = "CN=test_inherit_group," + ou_dn
1635         # Create inheritable-free OU
1636         self.create_clean_ou(ou_dn)
1637         # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1638         mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1639         moded = "(D;;CC;;;LG)"
1640         self.dacl_add_ace(ou_dn, mod)
1641         desc_sddl = self.get_desc_sddl(ou_dn)
1642         # Create group child object
1643         self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1644         # Make sure created group object contains only the above inherited ACE
1645         # that we've added manually
1646         desc_sddl = self.get_desc_sddl(group_dn)
1647         mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1648         self.assertTrue(mod in desc_sddl)
1649         self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1650         desc_sddl = self.get_desc_sddl(group_dn)
1651         self.assertTrue(moded in desc_sddl)
1652         self.assertTrue(mod in desc_sddl)
1653
1654     def test_208(self):
1655         """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1656             See if the group has the added inherited ACE.
1657         """
1658         ou_dn = "OU=test_inherit_ou," + self.base_dn
1659         group_dn = "CN=test_inherit_group," + ou_dn
1660         # Create inheritable-free OU
1661         self.create_clean_ou(ou_dn)
1662         # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1663         mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1664         moded = "(D;;CC;;;LG)"
1665         self.dacl_add_ace(ou_dn, mod)
1666         desc_sddl = self.get_desc_sddl(ou_dn)
1667         # Create group child object
1668         self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1669         # Make sure created group object contains only the above inherited ACE
1670         # that we've added manually
1671         desc_sddl = self.get_desc_sddl(group_dn)
1672         mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1673         self.assertTrue(mod in desc_sddl)
1674         self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1675         desc_sddl = self.get_desc_sddl(group_dn)
1676         self.assertTrue(moded in desc_sddl)
1677         self.assertTrue(mod in desc_sddl)
1678
1679     def test_209(self):
1680         """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1681             See if the group has the added inherited ACE.
1682         """
1683         ou_dn = "OU=test_inherit_ou," + self.base_dn
1684         group_dn = "CN=test_inherit_group," + ou_dn
1685         # Create inheritable-free OU
1686         self.create_clean_ou(ou_dn)
1687         # Add some custom 'CI' ACE
1688         mod = "(D;CI;WP;;;CO)"
1689         moded = "(D;;CC;;;LG)"
1690         self.dacl_add_ace(ou_dn, mod)
1691         desc_sddl = self.get_desc_sddl(ou_dn)
1692         # Create group child object
1693         self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1694         # Make sure created group object contains only the above inherited ACE(s)
1695         # that we've added manually
1696         desc_sddl = self.get_desc_sddl(group_dn)
1697         self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1698         self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1699         self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1700         desc_sddl = self.get_desc_sddl(group_dn)
1701         self.assertTrue(moded in desc_sddl)
1702         self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1703         self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1704
1705     ########################################################################################
1706
1707
1708 class SdFlagsDescriptorTests(DescriptorTests):
1709     def deleteAll(self):
1710         self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1711
1712     def setUp(self):
1713         DescriptorTests.setUp(self)
1714         self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1715         self.deleteAll()
1716
1717     def tearDown(self):
1718         self.deleteAll()
1719
1720     def test_301(self):
1721         """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1722             See that only the owner has been changed.
1723         """
1724         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1725         self.create_domain_ou(self.ldb_admin, ou_dn)
1726         self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1727         desc_sddl = self.get_desc_sddl(ou_dn)
1728         # make sure we have modified the owner
1729         self.assertTrue("O:AU" in desc_sddl)
1730         # make sure nothing else has been modified
1731         self.assertFalse("G:AU" in desc_sddl)
1732         self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1733         self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1734
1735     def test_302(self):
1736         """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1737             See that only the owner has been changed.
1738         """
1739         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1740         self.create_domain_ou(self.ldb_admin, ou_dn)
1741         self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1742         desc_sddl = self.get_desc_sddl(ou_dn)
1743         # make sure we have modified the group
1744         self.assertTrue("G:AU" in desc_sddl)
1745         # make sure nothing else has been modified
1746         self.assertFalse("O:AU" in desc_sddl)
1747         self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1748         self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1749
1750     def test_303(self):
1751         """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1752             See that only the owner has been changed.
1753         """
1754         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1755         self.create_domain_ou(self.ldb_admin, ou_dn)
1756         self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1757         desc_sddl = self.get_desc_sddl(ou_dn)
1758         # make sure we have modified the DACL
1759         self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1760         # make sure nothing else has been modified
1761         self.assertFalse("O:AU" in desc_sddl)
1762         self.assertFalse("G:AU" in desc_sddl)
1763         self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1764
1765     def test_304(self):
1766         """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1767             See that only the owner has been changed.
1768         """
1769         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1770         self.create_domain_ou(self.ldb_admin, ou_dn)
1771         self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1772         desc_sddl = self.get_desc_sddl(ou_dn)
1773         # make sure we have modified the DACL
1774         self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1775         # make sure nothing else has been modified
1776         self.assertFalse("O:AU" in desc_sddl)
1777         self.assertFalse("G:AU" in desc_sddl)
1778         self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1779
1780     def test_305(self):
1781         """ Modify a descriptor with 0x0 set.
1782             Contrary to logic this is interpreted as no control,
1783             which is the same as 0xF
1784         """
1785         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1786         self.create_domain_ou(self.ldb_admin, ou_dn)
1787         self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1788         desc_sddl = self.get_desc_sddl(ou_dn)
1789         # make sure we have modified the DACL
1790         self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1791         # make sure nothing else has been modified
1792         self.assertTrue("O:AU" in desc_sddl)
1793         self.assertTrue("G:AU" in desc_sddl)
1794         self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1795
1796     def test_306(self):
1797         """ Modify a descriptor with 0xF set.
1798         """
1799         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1800         self.create_domain_ou(self.ldb_admin, ou_dn)
1801         self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1802         desc_sddl = self.get_desc_sddl(ou_dn)
1803         # make sure we have modified the DACL
1804         self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1805         # make sure nothing else has been modified
1806         self.assertTrue("O:AU" in desc_sddl)
1807         self.assertTrue("G:AU" in desc_sddl)
1808         self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1809
1810     def test_307(self):
1811         """ Read a descriptor with OWNER_SECURITY_INFORMATION
1812             Only the owner part should be returned.
1813         """
1814         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1815         self.create_domain_ou(self.ldb_admin, ou_dn)
1816         desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1817         # make sure we have read the owner
1818         self.assertTrue("O:" in desc_sddl)
1819         # make sure we have read nothing else
1820         self.assertFalse("G:" in desc_sddl)
1821         self.assertFalse("D:" in desc_sddl)
1822         self.assertFalse("S:" in desc_sddl)
1823
1824     def test_308(self):
1825         """ Read a descriptor with GROUP_SECURITY_INFORMATION
1826             Only the group part should be returned.
1827         """
1828         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1829         self.create_domain_ou(self.ldb_admin, ou_dn)
1830         desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1831         # make sure we have read the owner
1832         self.assertTrue("G:" in desc_sddl)
1833         # make sure we have read nothing else
1834         self.assertFalse("O:" in desc_sddl)
1835         self.assertFalse("D:" in desc_sddl)
1836         self.assertFalse("S:" in desc_sddl)
1837
1838     def test_309(self):
1839         """ Read a descriptor with SACL_SECURITY_INFORMATION
1840             Only the sacl part should be returned.
1841         """
1842         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1843         self.create_domain_ou(self.ldb_admin, ou_dn)
1844         desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1845         # make sure we have read the owner
1846         self.assertTrue("S:" in desc_sddl)
1847         # make sure we have read nothing else
1848         self.assertFalse("O:" in desc_sddl)
1849         self.assertFalse("D:" in desc_sddl)
1850         self.assertFalse("G:" in desc_sddl)
1851
1852     def test_310(self):
1853         """ Read a descriptor with DACL_SECURITY_INFORMATION
1854             Only the dacl part should be returned.
1855         """
1856         ou_dn = "OU=test_sdflags_ou," + self.base_dn
1857         self.create_domain_ou(self.ldb_admin, ou_dn)
1858         desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1859         # make sure we have read the owner
1860         self.assertTrue("D:" in desc_sddl)
1861         # make sure we have read nothing else
1862         self.assertFalse("O:" in desc_sddl)
1863         self.assertFalse("S:" in desc_sddl)
1864         self.assertFalse("G:" in desc_sddl)
1865
1866 class RightsAttributesTests(DescriptorTests):
1867
1868     def deleteAll(self):
1869         if self.SAMBA:
1870            self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1871            self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1872
1873         self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1874
1875     def setUp(self):
1876         DescriptorTests.setUp(self)
1877         self.deleteAll()
1878         if self.SAMBA:
1879             ### Create users
1880             # User 1
1881             user_dn = self.get_users_domain_dn("testuser_attr")
1882             self.create_domain_user(self.ldb_admin, user_dn)
1883             self.enable_account(user_dn)
1884         # User 2, Domain Admins
1885             user_dn = self.get_users_domain_dn("testuser_attr2")
1886             self.create_domain_user(self.ldb_admin, user_dn)
1887             self.enable_account(user_dn)
1888             ldif = """
1889 dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """
1890 changetype: modify
1891 add: member
1892 member: """ + user_dn
1893             self.ldb_admin.modify_ldif(ldif)
1894
1895     def tearDown(self):
1896         self.deleteAll()
1897
1898     def test_sDRightsEffective(self):
1899         object_dn = "OU=test_domain_ou1," + self.base_dn
1900         self.delete_force(self.ldb_admin, object_dn)
1901         self.create_domain_ou(self.ldb_admin, object_dn)
1902         print self.get_users_domain_dn("testuser_attr")
1903         user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1904         #give testuser1 read access so attributes can be retrieved
1905         mod = "(A;CI;RP;;;%s)" % str(user_sid)
1906         self.dacl_add_ace(object_dn, mod)
1907         _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1908         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1909                          attrs=["sDRightsEffective"])
1910         #user whould have no rights at all
1911         self.assertEquals(len(res), 1)
1912         self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1913         #give the user Write DACL and see what happens
1914         mod = "(A;CI;WD;;;%s)" % str(user_sid)
1915         self.dacl_add_ace(object_dn, mod)
1916         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1917                          attrs=["sDRightsEffective"])
1918         #user whould have DACL_SECURITY_INFORMATION
1919         self.assertEquals(len(res), 1)
1920         self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1921         #give the user Write Owners and see what happens
1922         mod = "(A;CI;WO;;;%s)" % str(user_sid)
1923         self.dacl_add_ace(object_dn, mod)
1924         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1925                          attrs=["sDRightsEffective"])
1926         #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1927         self.assertEquals(len(res), 1)
1928         self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1929         #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1930         _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1931         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1932                          attrs=["sDRightsEffective"])
1933         #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1934         self.assertEquals(len(res), 1)
1935         self.assertEquals(res[0]["sDRightsEffective"][0], \
1936                           ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1937
1938     def test_allowedChildClassesEffective(self):
1939         object_dn = "OU=test_domain_ou1," + self.base_dn
1940         self.delete_force(self.ldb_admin, object_dn)
1941         self.create_domain_ou(self.ldb_admin, object_dn)
1942         user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1943         #give testuser1 read access so attributes can be retrieved
1944         mod = "(A;CI;RP;;;%s)" % str(user_sid)
1945         self.dacl_add_ace(object_dn, mod)
1946         _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1947         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1948                          attrs=["allowedChildClassesEffective"])
1949         #there should be no allowed child classes
1950         self.assertEquals(len(res), 1)
1951         self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1952         #give the user the right to create children of type user
1953         mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1954         self.dacl_add_ace(object_dn, mod)
1955         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1956                          attrs=["allowedChildClassesEffective"])
1957         # allowedChildClassesEffective should only have one value, user
1958         self.assertEquals(len(res), 1)
1959         self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1960         self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1961
1962     def test_allowedAttributesEffective(self):
1963         object_dn = "OU=test_domain_ou1," + self.base_dn
1964         self.delete_force(self.ldb_admin, object_dn)
1965         self.create_domain_ou(self.ldb_admin, object_dn)
1966         user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1967         #give testuser1 read access so attributes can be retrieved
1968         mod = "(A;CI;RP;;;%s)" % str(user_sid)
1969         self.dacl_add_ace(object_dn, mod)
1970         _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1971         #res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1972         #                 attrs=["allowedAttributes"])
1973         #print res
1974         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1975                          attrs=["allowedAttributesEffective"])
1976         #there should be no allowed attributes
1977         self.assertEquals(len(res), 1)
1978         self.assertFalse("allowedAttributesEffective" in res[0].keys())
1979         #give the user the right to write displayName and managedBy
1980         mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1981         mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1982         # also rights to modify an read only attribute, fromEntry
1983         mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1984         self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1985         res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1986                          attrs=["allowedAttributesEffective"])
1987         # value should only contain user and managedBy
1988         print res
1989         self.assertEquals(len(res), 1)
1990         self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1991         self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1992         self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1993
1994 if not "://" in host:
1995     if os.path.isfile(host):
1996         host = "tdb://%s" % host
1997     else:
1998         host = "ldap://%s" % host
1999
2000 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
2001
2002 runner = SubunitTestRunner()
2003 rc = 0
2004 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
2005     rc = 1
2006 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
2007     rc = 1
2008 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
2009     rc = 1
2010 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():
2011     rc = 1
2012 sys.exit(rc)