def get_users_domain_dn(self, name):
return "CN=%s,CN=Users,%s" % (name, self.base_dn)
- def modify_desc(self, object_dn, desc):
+ def modify_desc(self, _ldb, object_dn, desc):
assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
mod = """
dn: """ + object_dn + """
mod += "nTSecurityDescriptor: %s" % desc
elif isinstance(desc, security.descriptor):
mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
- self.ldb_admin.modify_ldif(mod)
+ _ldb.modify_ldif(mod)
def create_domain_ou(self, _ldb, ou_dn, desc=None):
ldif = """
if ace in desc_sddl:
return
if desc_sddl.find("(") >= 0:
- desc_sddl = desc_sddl[0:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
+ desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
else:
desc_sddl = desc_sddl + ace
- self.modify_desc(object_dn, desc_sddl)
+ self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
def get_desc_sddl(self, object_dn):
""" Return object nTSecutiryDescriptor in SDDL format
"174" : "O:DAG:DA",
"175" : "O:DAG:DA",
},
- # msDS-Behavior-Version >= 3
+ # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
"ds_behavior_win2008" : {
"100" : "O:EAG:EA",
"101" : "O:DAG:DA",
"113" : "O:DAG:DA",
"114" : "O:DAG:DA",
"115" : "O:DAG:DA",
- "130" : "0:EAG:EA",
- "131" : "",
- "132" : "",
- "133" : "%s",
- "134" : "",
- "135" : "",
- "136" : "",
- "137" : "",
+ "130" : "O:EAG:EA",
+ "131" : "O:DAG:DA",
+ "132" : "O:SAG:SA",
+ "133" : "O:%sG:DU",
+ "134" : "O:EAG:EA",
+ "135" : "O:SAG:SA",
+ "136" : "O:SAG:SA",
+ "137" : "O:SAG:SA",
"138" : "",
"139" : "",
- "140" : "%s",
- "141" : "%s",
+ "140" : "O:%sG:DA",
+ "141" : "O:%sG:DA",
"142" : "",
"143" : "",
"144" : "",
res = [x.upper() for x in res[0].keys()]
self.assertFalse( "MEMBEROF" in res)
+ def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
+ # Modify
+ ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
+ if owner_group != "":
+ self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
+ else:
+ self.modify_desc(_ldb, object_dn, "D:" + ace)
+ # Make sure the modify operation has been applied
+ desc_sddl = self.get_desc_sddl(object_dn)
+ self.assertTrue(ace in desc_sddl)
+ # Make sure we have identical result for both "add" and "modify"
+ res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
+ print self._testMethodName
+ test_number = self._testMethodName[5:]
+ self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
+
def test_100(self):
""" Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
"""
user_name = "testuser1"
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
# Open Ldb connection with the tested user
- _ldb = self.get_ldb_connection("testuser1", "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
- self.create_domain_group(_ldb, group_dn)
- desc_sddl = self.get_desc_sddl(group_dn)
+ _ldb = self.get_ldb_connection(user_name, "samba123@")
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_group(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["100"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_101(self):
""" Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
- self.create_domain_group(_ldb, group_dn)
- desc_sddl = self.get_desc_sddl(group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_group(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["101"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_102(self):
""" Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
self.delete_force(self.ldb_admin, object_dn)
self.create_domain_ou(self.ldb_admin, object_dn)
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;%s)" % str(user_sid)
+ mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
self.dacl_add_ace(object_dn, mod)
# Create additional object into the first one
object_dn = "CN=test_domain_user1," + object_dn
self.create_domain_user(_ldb, object_dn)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["102"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
+ # This fails, research why
+ #self.check_modify_inheritance(_ldb, object_dn)
def test_103(self):
""" Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
self.delete_force(self.ldb_admin, object_dn)
self.create_domain_ou(self.ldb_admin, object_dn)
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;%s)" % str(user_sid)
+ mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
self.dacl_add_ace(object_dn, mod)
# Create additional object into the first one
object_dn = "CN=test_domain_user1," + object_dn
self.create_domain_user(_ldb, object_dn)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["103"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
+ #this fails, research why
+ #self.check_modify_inheritance(_ldb, object_dn)
def test_104(self):
""" Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
- self.create_domain_group(_ldb, group_dn)
- desc_sddl = self.get_desc_sddl(group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_group(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["104"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_105(self):
""" Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
- self.create_domain_group(_ldb, group_dn)
- desc_sddl = self.get_desc_sddl(group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_group(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["105"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_106(self):
""" Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
- self.create_domain_group(_ldb, group_dn)
- desc_sddl = self.get_desc_sddl(group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_group(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["106"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_107(self):
""" Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
- self.create_domain_group(_ldb, group_dn)
- desc_sddl = self.get_desc_sddl(group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
+ self.create_domain_group(_ldb, object_dn)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["107"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
# Control descriptor tests #####################################################################
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, group_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.create_domain_group(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["108"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
def test_109(self):
""" Domain admin group member creates object (custom descriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, group_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.create_domain_group(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["109"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
def test_110(self):
""" Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
self.delete_force(self.ldb_admin, object_dn)
self.create_domain_ou(self.ldb_admin, object_dn)
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;%s)" % str(user_sid)
+ mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
self.dacl_add_ace(object_dn, mod)
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc = self.read_desc(object_dn)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["110"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
def test_111(self):
""" Regular user with CC right creates object (custom descriptor) in DOMAIN
self.delete_force(self.ldb_admin, object_dn)
self.create_domain_ou(self.ldb_admin, object_dn)
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;%s)" % str(user_sid)
+ mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
self.dacl_add_ace(object_dn, mod)
# Create a custom security descriptor
# NB! Problematic owner part won't accept DA only <User Sid> !!!
desc = self.read_desc(object_dn)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["111"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
def test_112(self):
""" Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, group_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.create_domain_group(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["112"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
def test_113(self):
""" Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, group_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.create_domain_group(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["113"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
def test_114(self):
""" Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, group_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.create_domain_group(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["114"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
def test_115(self):
""" Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
- group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
- self.delete_force(self.ldb_admin, group_dn)
+ object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
+ self.delete_force(self.ldb_admin, object_dn)
# Create a custom security descriptor
desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
- self.create_domain_group(_ldb, group_dn, desc_sddl)
- desc_sddl = self.get_desc_sddl(group_dn)
+ self.create_domain_group(_ldb, object_dn, desc_sddl)
+ desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["115"], res)
-
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
def test_999(self):
user_name = "Administrator"
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;AU)"
+ mod = "(A;;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["130"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, class_dn)
def test_131(self):
user_name = "testuser2"
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["131"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, class_dn)
def test_132(self):
user_name = "testuser3"
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["132"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ #self.check_modify_inheritance(_ldb, class_dn)
def test_133(self):
user_name = "testuser4"
_ldb = self.get_ldb_connection(user_name, "samba123@")
#Change Schema partition descriptor
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["133"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
+ #self.check_modify_inheritance(_ldb, class_dn)
def test_134(self):
user_name = "testuser5"
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
#Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["134"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, class_dn)
def test_135(self):
user_name = "testuser6"
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["135"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, class_dn)
def test_136(self):
user_name = "testuser7"
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["136"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, class_dn)
def test_137(self):
user_name = "testuser8"
# Open Ldb connection with the tested user
_ldb = self.get_ldb_connection(user_name, "samba123@")
# Change Schema partition descriptor
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(self.schema_dn, mod)
# Create example Schema class
class_name = self.get_unique_schema_class_name()
self.create_schema_class(_ldb, class_dn)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["137"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, class_dn)
# Custom descriptor tests ##################################################################
self.create_schema_class(_ldb, class_dn, desc_sddl)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["140"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
def test_141(self):
user_name = "testuser4"
self.create_schema_class(_ldb, class_dn, desc_sddl)
desc_sddl = self.get_desc_sddl(class_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["141"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
def test_142(self):
user_name = "testuser5"
self.create_configuration_container(_ldb, object_dn, )
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["160"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_161(self):
user_name = "testuser2"
self.create_configuration_container(_ldb, object_dn, )
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["161"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_162(self):
user_name = "testuser3"
self.delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;AU)"
+ mod = "(A;;WDCC;;;AU)"
self.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
self.create_configuration_specifier(_ldb, object_dn)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["162"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
+ #self.check_modify_inheritance(_ldb, object_dn)
def test_163(self):
user_name = "testuser4"
self.delete_force(self.ldb_admin, object_dn)
self.create_configuration_container(self.ldb_admin, object_dn, )
user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
- mod = "(A;;CC;;;AU)"
+ mod = "(A;CI;WDCC;;;AU)"
self.dacl_add_ace(object_dn, mod)
# Create child object with user's credentials
object_dn = "CN=test-specifier1," + object_dn
self.create_configuration_specifier(_ldb, object_dn)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["163"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
+ #self.check_modify_inheritance(_ldb, object_dn)
def test_164(self):
user_name = "testuser5"
self.create_configuration_container(_ldb, object_dn, )
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["164"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_165(self):
user_name = "testuser6"
self.create_configuration_container(_ldb, object_dn, )
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["165"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_166(self):
user_name = "testuser7"
self.create_configuration_container(_ldb, object_dn, )
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["166"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
def test_167(self):
user_name = "testuser8"
self.create_configuration_container(_ldb, object_dn, )
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["167"], res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
+ self.check_modify_inheritance(_ldb, object_dn)
# Custom descriptor tests ##################################################################
self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["170"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
def test_171(self):
user_name = "testuser4"
self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
desc_sddl = self.get_desc_sddl(object_dn)
res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
- self.assertEqual(self.results[self.DS_BEHAVIOR]["171"] % str(user_sid), res)
+ self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
def test_172(self):
user_name = "testuser5"
DescriptorTests.setUp(self)
def tearDown(self):
- self.delete_force(self.ldb_admin, "CN=_test_inherit_group,OU=test_inherit_ou," + self.base_dn)
- self.delete_force(self.ldb_admin, "OU=_test_inherit_ou," + self.base_dn)
+ self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
+ self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
def create_clean_ou(self, object_dn):
""" Base repeating setup for unittests to follow """
self.assertEqual(res, [])
self.create_domain_ou(self.ldb_admin, object_dn)
desc_sddl = self.get_desc_sddl(object_dn)
- # Make sutre there are inheritable ACEs initially
+ # Make sure there are inheritable ACEs initially
self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
# Find and remove all inherit ACEs
res = re.findall("\(.*?\)", desc_sddl)
# can propagate from above
# remove SACL, we are not interested
desc_sddl = desc_sddl.replace(":AI", ":AIP")
- self.modify_desc(object_dn, desc_sddl)
+ self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
# Verify all inheritable ACEs are gone
desc_sddl = self.get_desc_sddl(object_dn)
self.assertFalse("CI" in desc_sddl)
self.create_domain_group(self.ldb_admin, group_dn, sddl)
# Make sure created group descriptor has NO additional ACEs
desc_sddl = self.get_desc_sddl(group_dn)
- print "group descriptor: " + desc_sddl
+ self.assertEqual(desc_sddl, sddl)
+ sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
+ self.modify_desc(self.ldb_admin, group_dn, sddl)
+ desc_sddl = self.get_desc_sddl(group_dn)
self.assertEqual(desc_sddl, sddl)
def test_202(self):
self.create_clean_ou(ou_dn)
# Add some custom non-inheritable ACEs
mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
# Verify all inheritable ACEs are gone
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
self.create_domain_group(self.ldb_admin, group_dn)
# Make sure created group object contains NO inherit ACEs
- # also make sure the added above non-inheritable ACEs are absant too
+ # also make sure the added above non-inheritable ACEs are absent too
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertFalse("ID" in desc_sddl)
+ for x in re.findall("\(.*?\)", mod):
+ self.assertFalse(x in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
desc_sddl = self.get_desc_sddl(group_dn)
self.assertFalse("ID" in desc_sddl)
for x in re.findall("\(.*?\)", mod):
self.create_clean_ou(ou_dn)
# Add some custom 'CI' ACE
mod = "(D;CI;WP;;;DU)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
desc_sddl = self.get_desc_sddl(group_dn)
mod = mod.replace(";CI;", ";CIID;")
self.assertTrue(mod in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertTrue(moded in desc_sddl)
+ self.assertTrue(mod in desc_sddl)
def test_204(self):
""" OU with protected flag and add 'OI' ACE, child group.
self.create_clean_ou(ou_dn)
# Add some custom 'CI' ACE
mod = "(D;OI;WP;;;DU)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
desc_sddl = self.get_desc_sddl(group_dn)
mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertTrue(moded in desc_sddl)
+ self.assertTrue(mod in desc_sddl)
def test_205(self):
""" OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
self.create_clean_ou(ou_dn)
# Add some custom 'OA' for 'name' attribute & 'CI' ACE
mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
desc_sddl = self.get_desc_sddl(group_dn)
mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertTrue(moded in desc_sddl)
+ self.assertTrue(mod in desc_sddl)
def test_206(self):
""" OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
self.create_clean_ou(ou_dn)
# Add some custom 'OA' for 'name' attribute & 'OI' ACE
mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
desc_sddl = self.get_desc_sddl(group_dn)
mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertTrue(moded in desc_sddl)
+ self.assertTrue(mod in desc_sddl)
def test_207(self):
""" OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
self.create_clean_ou(ou_dn)
# Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
desc_sddl = self.get_desc_sddl(group_dn)
mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertTrue(moded in desc_sddl)
+ self.assertTrue(mod in desc_sddl)
def test_208(self):
""" OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
self.create_clean_ou(ou_dn)
# Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
desc_sddl = self.get_desc_sddl(group_dn)
mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
self.assertTrue(mod in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertTrue(moded in desc_sddl)
+ self.assertTrue(mod in desc_sddl)
def test_209(self):
""" OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
self.create_clean_ou(ou_dn)
# Add some custom 'CI' ACE
mod = "(D;CI;WP;;;CO)"
+ moded = "(D;;CC;;;LG)"
self.dacl_add_ace(ou_dn, mod)
desc_sddl = self.get_desc_sddl(ou_dn)
# Create group child object
desc_sddl = self.get_desc_sddl(group_dn)
self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
+ self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
+ desc_sddl = self.get_desc_sddl(group_dn)
+ self.assertTrue(moded in desc_sddl)
+ self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
+ self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
########################################################################################