python/samba/tests/samba_tool/user_virtualCryptSHA.py

   1 # Tests for the samba-tool user sub command reading Primary:userPassword
   2 #
   3 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 import os
  20 import time
  21 import base64
  22 import ldb
  23 import samba
  24 from samba.tests.samba_tool.base import SambaToolCmdTest
  25 from samba.credentials import Credentials
  26 from samba.samdb import SamDB
  27 from samba.auth import system_session
  28 from samba.ndr import ndr_unpack
  29 from samba.dcerpc import drsblobs
  30 from samba import dsdb
  31 import re
  32 import random
  33 import string
  34
  35 USER_NAME = "CryptSHATestUser"
  36 # Create a random 32 character password, containing only letters and
  37 # digits to avoid issues when used on the command line.
  38 # Ensuring the password includes at least:
  39 #   1 upper case letter
  40 #   1 lower case letter
  41 #   1 digit.
  42 #
  43 USER_PASS = (''.join(random.choice(string.ascii_uppercase +
  44                                    string.ascii_lowercase +
  45                                    string.digits) for _ in range(29)) +
  46              random.choice(string.ascii_uppercase) +
  47              random.choice(string.ascii_lowercase) +
  48              random.choice(string.digits))
  49 HASH_OPTION = "password hash userPassword schemes"
  50
  51 # Get the value of an attribute from the output string
  52 # Note: Does not correctly handle values spanning multiple lines,
  53 #       which is acceptable for it's usage in these tests.
  54 def _get_attribute(out, name):
  55     p = re.compile("^" + name + ":\s+(\S+)")
  56     for line in out.split("\n"):
  57         m = p.match(line)
  58         if m:
  59             return m.group(1)
  60     return ""
  61
  62 class UserCmdCryptShaTestCase(SambaToolCmdTest):
  63     """
  64     Tests for samba-tool user subcommands generation of the virtualCryptSHA256
  65     and virtualCryptSHA512 attributes
  66     """
  67     users = []
  68     samdb = None
  69
  70     def setUp(self):
  71         super(UserCmdCryptShaTestCase, self).setUp()
  72
  73     def add_user(self, hashes=""):
  74         self.lp = samba.tests.env_loadparm()
  75
  76         # set the extra hashes to be calculated
  77         self.lp.set(HASH_OPTION, hashes)
  78
  79         self.creds = Credentials()
  80         self.session = system_session()
  81         self.ldb = SamDB(
  82             session_info=self.session,
  83             credentials=self.creds,
  84             lp=self.lp)
  85
  86         self.runsubcmd("user",
  87                        "create",
  88                        USER_NAME,
  89                        USER_PASS)
  90
  91     def tearDown(self):
  92         super(UserCmdCryptShaTestCase, self).tearDown()
  93         self.runsubcmd("user", "delete", USER_NAME)
  94
  95     def _get_password(self, attributes, decrypt=False):
  96         command = ["user",
  97                    "getpassword",
  98                    USER_NAME,
  99                    "--attributes",
 100                    attributes]
 101         if decrypt:
 102             command.append("--decrypt-samba-gpg")
 103
 104         (result, out, err) = self.runsubcmd(*command)
 105         self.assertCmdSuccess(result,
 106                               out,
 107                               err,
 108                               "Ensure getpassword runs")
 109         self.assertEqual(err, "", "getpassword")
 110         self.assertMatch(out,
 111                          "Got password OK",
 112                          "getpassword out[%s]" % out)
 113         return out
 114
 115     # Change the just the NT password hash, as would happen if the password
 116     # was updated by Windows, the userPassword values are now obsolete.
 117     #
 118     def _change_nt_hash(self):
 119         res = self.ldb.search(expression = "cn=%s" % USER_NAME,
 120                               scope      = ldb.SCOPE_SUBTREE)
 121         msg = ldb.Message()
 122         msg.dn = res[0].dn
 123         msg["unicodePwd"] = ldb.MessageElement(b"ABCDEF1234567890",
 124                                                ldb.FLAG_MOD_REPLACE,
 125                                                "unicodePwd")
 126         self.ldb.modify(
 127             msg,
 128             controls=["local_oid:%s:0" %
 129                       dsdb.DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID])
 130
 131     # gpg decryption not enabled.
 132     # both virtual attributes specified, no rounds option
 133     # no hashes stored in supplementalCredentials
 134     # Should not get values
 135     def test_no_gpg_both_hashes_no_rounds(self):
 136         self.add_user()
 137         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
 138
 139         self.assertTrue("virtualCryptSHA256:" not in out)
 140         self.assertTrue("virtualCryptSHA512:" not in out)
 141         self.assertTrue("rounds=" not in out)
 142
 143     # gpg decryption not enabled.
 144     # SHA256 specified
 145     # no hashes stored in supplementalCredentials
 146     # No rounds
 147     #
 148     # Should not get values
 149     def test_no_gpg_sha256_no_rounds(self):
 150         self.add_user()
 151         out = self._get_password("virtualCryptSHA256")
 152
 153         self.assertTrue("virtualCryptSHA256:" not in out)
 154         self.assertTrue("virtualCryptSHA512:" not in out)
 155         self.assertTrue("rounds=" not in out)
 156
 157     # gpg decryption not enabled.
 158     # SHA512 specified
 159     # no hashes stored in supplementalCredentials
 160     # No rounds
 161     #
 162     # Should not get values
 163     def test_no_gpg_sha512_no_rounds(self):
 164         self.add_user()
 165         out = self._get_password("virtualCryptSHA512")
 166
 167         self.assertTrue("virtualCryptSHA256:" not in out)
 168         self.assertTrue("virtualCryptSHA512:" not in out)
 169         self.assertTrue("rounds=" not in out)
 170
 171     # gpg decryption not enabled.
 172     # SHA128 specified, i.e. invalid/unknown algorithm
 173     # no hashes stored in supplementalCredentials
 174     # No rounds
 175     #
 176     # Should not get values
 177     def test_no_gpg_invalid_alg_no_rounds(self):
 178         self.add_user()
 179         out = self._get_password("virtualCryptSHA128")
 180
 181         self.assertTrue("virtualCryptSHA256:" not in out)
 182         self.assertTrue("virtualCryptSHA512:" not in out)
 183         self.assertTrue("rounds=" not in out)
 184
 185     # gpg decryption enabled.
 186     # both virtual attributes specified, no rounds option
 187     # no hashes stored in supplementalCredentials
 188     # Should get values
 189     def test_gpg_both_hashes_no_rounds(self):
 190         self.add_user()
 191         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True)
 192
 193         self.assertTrue("virtualCryptSHA256:" in out)
 194         self.assertTrue("virtualCryptSHA512:" in out)
 195         self.assertTrue("rounds=" not in out)
 196
 197     # gpg decryption enabled.
 198     # SHA256 specified
 199     # no hashes stored in supplementalCredentials
 200     # No rounds
 201     #
 202     # Should get values
 203     def test_gpg_sha256_no_rounds(self):
 204         self.add_user()
 205         out = self._get_password("virtualCryptSHA256", True)
 206
 207         self.assertTrue("virtualCryptSHA256:" in out)
 208         self.assertTrue("virtualCryptSHA512:" not in out)
 209         self.assertTrue("rounds=" not in out)
 210
 211     # gpg decryption enabled.
 212     # SHA512 specified
 213     # no hashes stored in supplementalCredentials
 214     # No rounds
 215     #
 216     # Should get values
 217     def test_gpg_sha512_no_rounds(self):
 218         self.add_user()
 219         out = self._get_password("virtualCryptSHA512", True)
 220
 221         self.assertTrue("virtualCryptSHA256:" not in out)
 222         self.assertTrue("virtualCryptSHA512:" in out)
 223         self.assertTrue("rounds=" not in out)
 224
 225     # gpg decryption enabled.
 226     # SHA128 specified, i.e. invalid/unknown algorithm
 227     # no hashes stored in supplementalCredentials
 228     # No rounds
 229     #
 230     # Should not get values
 231     def test_gpg_invalid_alg_no_rounds(self):
 232         self.add_user()
 233         out = self._get_password("virtualCryptSHA128", True)
 234
 235         self.assertTrue("virtualCryptSHA256:" not in out)
 236         self.assertTrue("virtualCryptSHA512:" not in out)
 237         self.assertTrue("rounds=" not in out)
 238
 239     # gpg decryption enabled.
 240     # both virtual attributes specified, no rounds option
 241     # no hashes stored in supplementalCredentials
 242     # underlying windows password changed, so plain text password is
 243     # invalid.
 244     # Should not get values
 245     def test_gpg_both_hashes_no_rounds_pwd_changed(self):
 246         self.add_user()
 247         self._change_nt_hash()
 248         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True)
 249
 250         self.assertTrue("virtualCryptSHA256:" not in out)
 251         self.assertTrue("virtualCryptSHA512:" not in out)
 252         self.assertTrue("rounds=" not in out)
 253
 254     # gpg decryption enabled.
 255     # SHA256 specified, no rounds option
 256     # no hashes stored in supplementalCredentials
 257     # underlying windows password changed, so plain text password is
 258     # invalid.
 259     # Should not get values
 260     def test_gpg_sha256_no_rounds_pwd_changed(self):
 261         self.add_user()
 262         self._change_nt_hash()
 263         out = self._get_password("virtualCryptSHA256", True)
 264
 265         self.assertTrue("virtualCryptSHA256:" not in out)
 266         self.assertTrue("virtualCryptSHA512:" not in out)
 267         self.assertTrue("rounds=" not in out)
 268
 269     # gpg decryption enabled.
 270     # SHA512 specified, no rounds option
 271     # no hashes stored in supplementalCredentials
 272     # underlying windows password changed, so plain text password is
 273     # invalid.
 274     # Should not get values
 275     def test_gpg_sha512_no_rounds_pwd_changed(self):
 276         self.add_user()
 277         self._change_nt_hash()
 278         out = self._get_password("virtualCryptSHA256", True)
 279
 280         self.assertTrue("virtualCryptSHA256:" not in out)
 281         self.assertTrue("virtualCryptSHA512:" not in out)
 282         self.assertTrue("rounds=" not in out)
 283
 284     # gpg decryption enabled.
 285     # both virtual attributes specified, rounds specified
 286     # no hashes stored in supplementalCredentials
 287     # Should get values reflecting the requested rounds
 288     def test_gpg_both_hashes_both_rounds(self):
 289         self.add_user()
 290         out = self._get_password(
 291             "virtualCryptSHA256;rounds=10123,virtualCryptSHA512;rounds=10456",
 292             True)
 293
 294         self.assertTrue("virtualCryptSHA256:" in out)
 295         self.assertTrue("virtualCryptSHA512:" in out)
 296
 297         sha256 = _get_attribute(out, "virtualCryptSHA256")
 298         self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=10123$"))
 299
 300         sha512 = _get_attribute(out, "virtualCryptSHA512")
 301         self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=10456$"))
 302
 303     # gpg decryption enabled.
 304     # both virtual attributes specified, rounds specified
 305     # invalid rounds for sha256
 306     # no hashes stored in supplementalCredentials
 307     # Should get values, no rounds for sha256, rounds for sha 512
 308     def test_gpg_both_hashes_sha256_rounds_invalid(self):
 309         self.add_user()
 310         out = self._get_password(
 311             "virtualCryptSHA256;rounds=invalid,virtualCryptSHA512;rounds=3125",
 312             True)
 313
 314         self.assertTrue("virtualCryptSHA256:" in out)
 315         self.assertTrue("virtualCryptSHA512:" in out)
 316
 317         sha256 = _get_attribute(out, "virtualCryptSHA256")
 318         self.assertTrue(sha256.startswith("{CRYPT}$5$"))
 319         self.assertTrue("rounds" not in sha256)
 320
 321         sha512 = _get_attribute(out, "virtualCryptSHA512")
 322         self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=3125$"))
 323
 324     # gpg decryption not enabled.
 325     # both virtual attributes specified, no rounds option
 326     # both hashes stored in supplementalCredentials
 327     # Should get values
 328     def test_no_gpg_both_hashes_no_rounds_stored_hashes(self):
 329         self.add_user("CryptSHA512 CryptSHA256")
 330
 331         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
 332
 333         self.assertTrue("virtualCryptSHA256:" in out)
 334         self.assertTrue("virtualCryptSHA512:" in out)
 335         self.assertTrue("rounds=" not in out)
 336
 337         # Should be using the pre computed hash in supplementalCredentials
 338         # so it should not change between calls.
 339         sha256 = _get_attribute(out, "virtualCryptSHA256")
 340         sha512 = _get_attribute(out, "virtualCryptSHA512")
 341
 342         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
 343         self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
 344         self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
 345
 346     # gpg decryption not enabled.
 347     # both virtual attributes specified, rounds specified
 348     # both hashes stored in supplementalCredentials, with not rounds
 349     # Should get hashes for the first matching scheme entry
 350     def test_no_gpg_both_hashes_rounds_stored_hashes(self):
 351         self.add_user("CryptSHA512 CryptSHA256")
 352
 353         out = self._get_password("virtualCryptSHA256;rounds=2561," +
 354                                  "virtualCryptSHA512;rounds=5129")
 355
 356         self.assertTrue("virtualCryptSHA256:" in out)
 357         self.assertTrue("virtualCryptSHA512:" in out)
 358         self.assertTrue("rounds=" not in out)
 359
 360         # Should be using the pre computed hash in supplementalCredentials
 361         # so it should not change between calls.
 362         sha256 = _get_attribute(out, "virtualCryptSHA256")
 363         sha512 = _get_attribute(out, "virtualCryptSHA512")
 364
 365         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512")
 366         self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
 367         self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
 368
 369     # gpg decryption not enabled.
 370     # both virtual attributes specified, rounds specified
 371     # both hashes stored in supplementalCredentials, with rounds
 372     # Should get values
 373     def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds(self):
 374         self.add_user("CryptSHA512 " +
 375                       "CryptSHA256 " +
 376                       "CryptSHA512:rounds=5129 " +
 377                       "CryptSHA256:rounds=2561")
 378
 379         out = self._get_password("virtualCryptSHA256;rounds=2561," +
 380                                  "virtualCryptSHA512;rounds=5129")
 381
 382         self.assertTrue("virtualCryptSHA256:" in out)
 383         self.assertTrue("virtualCryptSHA512:" in out)
 384         self.assertTrue("rounds=" in out)
 385
 386         # Should be using the pre computed hash in supplementalCredentials
 387         # so it should not change between calls.
 388         sha256 = _get_attribute(out, "virtualCryptSHA256")
 389         sha512 = _get_attribute(out, "virtualCryptSHA512")
 390
 391         out = self._get_password("virtualCryptSHA256;rounds=2561," +
 392                                  "virtualCryptSHA512;rounds=5129")
 393         self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
 394         self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
 395
 396         # Number of rounds should match that specified
 397         self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561"))
 398         self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129"))
 399
 400     # gpg decryption not enabled.
 401     # both virtual attributes specified, rounds specified
 402     # both hashes stored in supplementalCredentials, with rounds
 403     # number of rounds stored/requested do not match
 404     # Should get the precomputed hashes for CryptSHA512 and CryptSHA256
 405     def test_no_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self):
 406         self.add_user("CryptSHA512 " +
 407                       "CryptSHA256 " +
 408                       "CryptSHA512:rounds=5129 " +
 409                       "CryptSHA256:rounds=2561")
 410
 411         out = self._get_password("virtualCryptSHA256;rounds=4000," +
 412                                  "virtualCryptSHA512;rounds=5000")
 413
 414         self.assertTrue("virtualCryptSHA256:" in out)
 415         self.assertTrue("virtualCryptSHA512:" in out)
 416         self.assertTrue("rounds=" not in out)
 417
 418         # Should be using the pre computed hash in supplementalCredentials
 419         # so it should not change between calls.
 420         sha256 = _get_attribute(out, "virtualCryptSHA256")
 421         sha512 = _get_attribute(out, "virtualCryptSHA512")
 422
 423         out = self._get_password("virtualCryptSHA256;rounds=4000," +
 424                                  "virtualCryptSHA512;rounds=5000")
 425         self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
 426         self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
 427
 428         # As the number of rounds did not match, should have returned the
 429         # first hash of the coresponding scheme
 430         out = self._get_password("virtualCryptSHA256," +
 431                                  "virtualCryptSHA512")
 432         self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
 433         self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
 434
 435     # gpg decryption enabled.
 436     # both virtual attributes specified, no rounds option
 437     # both hashes stored in supplementalCredentials
 438     # Should get values
 439     def test_gpg_both_hashes_no_rounds_stored_hashes(self):
 440         self.add_user("CryptSHA512 CryptSHA256")
 441
 442         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True)
 443
 444         self.assertTrue("virtualCryptSHA256:" in out)
 445         self.assertTrue("virtualCryptSHA512:" in out)
 446         self.assertTrue("rounds=" not in out)
 447
 448         # Should be using the pre computed hash in supplementalCredentials
 449         # so it should not change between calls.
 450         sha256 = _get_attribute(out, "virtualCryptSHA256")
 451         sha512 = _get_attribute(out, "virtualCryptSHA512")
 452
 453         out = self._get_password("virtualCryptSHA256,virtualCryptSHA512", True)
 454         self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
 455         self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
 456
 457     # gpg decryption enabled.
 458     # both virtual attributes specified, rounds specified
 459     # both hashes stored in supplementalCredentials, with no rounds
 460     # Should get calculated hashed with the correct number of rounds
 461     def test_gpg_both_hashes_rounds_stored_hashes(self):
 462         self.add_user("CryptSHA512 CryptSHA256")
 463
 464         out = self._get_password("virtualCryptSHA256;rounds=2561," +
 465                                  "virtualCryptSHA512;rounds=5129",
 466                                  True)
 467
 468         self.assertTrue("virtualCryptSHA256:" in out)
 469         self.assertTrue("virtualCryptSHA512:" in out)
 470         self.assertTrue("rounds=" in out)
 471
 472         # Should be calculating the hashes
 473         # so they should change between calls.
 474         sha256 = _get_attribute(out, "virtualCryptSHA256")
 475         sha512 = _get_attribute(out, "virtualCryptSHA512")
 476
 477         out = self._get_password("virtualCryptSHA256;rounds=2561," +
 478                                  "virtualCryptSHA512;rounds=5129",
 479                                  True)
 480         self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256"))
 481         self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512"))
 482
 483         # The returned hashes should specify the correct number of rounds
 484         self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561"))
 485         self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129"))
 486
 487     # gpg decryption enabled.
 488     # both virtual attributes specified, rounds specified
 489     # both hashes stored in supplementalCredentials, with rounds
 490     # Should get values
 491     def test_gpg_both_hashes_rounds_stored_hashes_with_rounds(self):
 492         self.add_user("CryptSHA512 " +
 493                       "CryptSHA256 " +
 494                       "CryptSHA512:rounds=5129 " +
 495                       "CryptSHA256:rounds=2561")
 496
 497         out = self._get_password("virtualCryptSHA256;rounds=2561," +
 498                                  "virtualCryptSHA512;rounds=5129",
 499                                  True)
 500
 501         self.assertTrue("virtualCryptSHA256:" in out)
 502         self.assertTrue("virtualCryptSHA512:" in out)
 503         self.assertTrue("rounds=" in out)
 504
 505         # Should be using the pre computed hash in supplementalCredentials
 506         # so it should not change between calls.
 507         sha256 = _get_attribute(out, "virtualCryptSHA256")
 508         sha512 = _get_attribute(out, "virtualCryptSHA512")
 509
 510         out = self._get_password("virtualCryptSHA256;rounds=2561," +
 511                                  "virtualCryptSHA512;rounds=5129",
 512                                  True)
 513         self.assertEquals(sha256, _get_attribute(out, "virtualCryptSHA256"))
 514         self.assertEquals(sha512, _get_attribute(out, "virtualCryptSHA512"))
 515
 516         # The returned hashes should specify the correct number of rounds
 517         self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=2561"))
 518         self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5129"))
 519
 520     # gpg decryption enabled.
 521     # both virtual attributes specified, rounds specified
 522     # both hashes stored in supplementalCredentials, with rounds
 523     # number of rounds stored/requested do not match
 524     # Should get calculated hashes with the correct number of rounds
 525     def test_gpg_both_hashes_rounds_stored_hashes_with_rounds_no_match(self):
 526         self.add_user("CryptSHA512 " +
 527                       "CryptSHA256 " +
 528                       "CryptSHA512:rounds=5129 " +
 529                       "CryptSHA256:rounds=2561")
 530
 531         out = self._get_password("virtualCryptSHA256;rounds=4000," +
 532                                  "virtualCryptSHA512;rounds=5000",
 533                                  True)
 534
 535         self.assertTrue("virtualCryptSHA256:" in out)
 536         self.assertTrue("virtualCryptSHA512:" in out)
 537         self.assertTrue("rounds=" in out)
 538
 539         # Should be calculating the hashes
 540         # so they should change between calls.
 541         sha256 = _get_attribute(out, "virtualCryptSHA256")
 542         sha512 = _get_attribute(out, "virtualCryptSHA512")
 543
 544         out = self._get_password("virtualCryptSHA256;rounds=4000," +
 545                                  "virtualCryptSHA512;rounds=5000",
 546                                  True)
 547         self.assertFalse(sha256 == _get_attribute(out, "virtualCryptSHA256"))
 548         self.assertFalse(sha512 == _get_attribute(out, "virtualCryptSHA512"))
 549
 550         # The calculated hashes should specify the correct number of rounds
 551         self.assertTrue(sha256.startswith("{CRYPT}$5$rounds=4000"))
 552         self.assertTrue(sha512.startswith("{CRYPT}$6$rounds=5000"))