Fix PEP8 warning E711 comparison to None

[nivanova/samba-autobuild/.git] / source4 / dsdb / tests / python / password_settings.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Tests for Password Settings Objects.
#
# This also tests the default password complexity (i.e. pwdProperties),
# minPwdLength, pwdHistoryLength settings as a side-effect.
#
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

#
# Usage:
#  export SERVER_IP=target_dc
#  export SUBUNITRUN=$samba4srcdir/scripting/bin/subunitrun
#  PYTHONPATH="$PYTHONPATH:$samba4srcdir/dsdb/tests/python" $SUBUNITRUN password_settings -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD"
#

import samba.tests
import ldb
from ldb import SCOPE_BASE, FLAG_MOD_DELETE, FLAG_MOD_ADD, FLAG_MOD_REPLACE
from samba import dsdb
import time
from samba.tests.password_test import PasswordTestCase
from samba.tests.pso import TestUser
from samba.tests.pso import PasswordSettings
from samba.credentials import Credentials
from samba.samdb import SamDB
from samba import gensec
from samba.dcerpc.samr import DOMAIN_PASSWORD_STORE_CLEARTEXT
from samba.auth import system_session
import base64

class PasswordSettingsTestCase(PasswordTestCase):
    def setUp(self):
        super(PasswordSettingsTestCase, self).setUp()

        self.host_url = "ldap://%s" % samba.tests.env_get_var_value("SERVER_IP")
        self.ldb = samba.tests.connect_samdb(self.host_url)

        # create a temp OU to put this test's users into
        self.ou = samba.tests.create_test_ou(self.ldb, "password_settings")

        # update DC to allow password changes for the duration of this test
        self.allow_password_changes()

        # store the current password-settings for the domain
        self.pwd_defaults = PasswordSettings(None, self.ldb)
        self.test_objs = []

    def tearDown(self):
        super(PasswordSettingsTestCase, self).tearDown()

        # remove all objects under the top-level OU
        self.ldb.delete(self.ou, ["tree_delete:1"])

        # PSOs can't reside within an OU so they need to be cleaned up separately
        for obj in self.test_objs:
            self.ldb.delete(obj)

    def add_obj_cleanup(self, dn_list):
        """Handles cleanup of objects outside of the test OU in the tearDown"""
        self.test_objs.extend(dn_list)

    def add_group(self, group_name):
        """Creates a new group"""
        dn = "CN=%s,%s" %(group_name, self.ou)
        self.ldb.add({"dn": dn, "objectclass": "group"})
        return dn

    def set_attribute(self, dn, attr, value, operation=FLAG_MOD_ADD, samdb=None):
        """Modifies an attribute for an object"""
        if samdb is None:
            samdb = self.ldb
        m = ldb.Message()
        m.dn = ldb.Dn(samdb, dn)
        m[attr] = ldb.MessageElement(value, operation, attr)
        samdb.modify(m)

    def add_user(self, username):
        # add a new user to the DB under our top-level OU
        userou = "ou=%s" % self.ou.get_component_value(0)
        return TestUser(username, self.ldb, userou=userou)

    def assert_password_invalid(self, user, password):
        """
        Check we can't set a password that violates complexity or length
        constraints
        """
        try:
            user.set_password(password)
            # fail the test if no exception was encountered
            self.fail("Password '%s' should have been rejected" % password)
        except ldb.LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ldb.ERR_CONSTRAINT_VIOLATION, msg)
            self.assertTrue('0000052D' in msg, msg)

    def assert_password_valid(self, user, password):
        """Checks that we can set a password successfully"""
        try:
            user.set_password(password)
        except ldb.LdbError as e:
            (num, msg) = e.args
            # fail the test (rather than throw an error)
            self.fail("Password '%s' unexpectedly rejected: %s" %(password, msg))

    def assert_PSO_applied(self, user, pso):
        """
        Asserts the expected PSO is applied by checking the msDS-ResultantPSO
        attribute, as well as checking the corresponding password-length,
        complexity, and history are enforced correctly
        """
        resultant_pso = user.get_resultant_PSO()
        self.assertTrue(resultant_pso == pso.dn,
                        "Expected PSO %s, not %s" %(pso.name,
                                                    str(resultant_pso)))

        # we're mirroring the pwd_history for the user, so make sure this is
        # up-to-date, before we start making password changes
        if user.last_pso:
            user.pwd_history_change(user.last_pso.history_len, pso.history_len)
        user.last_pso = pso

        # check if we can set a sufficiently long, but non-complex, password.
        # (We use the history-size to generate a unique password for each
        # assertion - otherwise, if the password is already in the history,
        # then it'll be rejected)
        unique_char = chr(ord('a') + len(user.all_old_passwords))
        noncomplex_pwd = "%cabcdefghijklmnopqrst" % unique_char

        if pso.complexity:
            self.assert_password_invalid(user, noncomplex_pwd)
        else:
            self.assert_password_valid(user, noncomplex_pwd)

        # use a unique and sufficiently complex base-string to check pwd-length
        pass_phrase = "%d#AaBbCcDdEeFfGgHhIi" % len(user.all_old_passwords)

        # check that passwords less than the specified length are rejected
        for i in range(3, pso.password_len):
            self.assert_password_invalid(user, pass_phrase[:i])

        # check we can set a password that's exactly the minimum length
        self.assert_password_valid(user, pass_phrase[:pso.password_len])

        # check the password history is enforced correctly.
        # first, check the last n items in the password history are invalid
        invalid_passwords = user.old_invalid_passwords(pso.history_len)
        for pwd in invalid_passwords:
            self.assert_password_invalid(user, pwd)

        # next, check any passwords older than the history-len can be re-used
        valid_passwords = user.old_valid_passwords(pso.history_len)
        for pwd in valid_passwords:
            self.assert_set_old_password(user, pwd, pso)

    def password_is_complex(self, password):
        # non-complex passwords used in the tests are all lower-case letters
        # If it's got a number in the password, assume it's complex
        return any(c.isdigit() for c in password)

    def assert_set_old_password(self, user, password, pso):
        """
        Checks a user password can be set (if the password conforms to the PSO
        settings). Used to check an old password that falls outside the history
        length, but might still be invalid for other reasons.
        """
        if self.password_is_complex(password):
            # check password conforms to length requirements
            if len(password) < pso.password_len:
                self.assert_password_invalid(user, password)
            else:
                self.assert_password_valid(user, password)
        else:
            # password is not complex, check PSO handles it appropriately
            if pso.complexity:
                self.assert_password_invalid(user, password)
            else:
                self.assert_password_valid(user, password)

    def test_pso_basics(self):
        """Simple tests that a PSO takes effect when applied to a group or user"""

        # create some PSOs that vary in priority and basic password-len
        best_pso = PasswordSettings("highest-priority-PSO", self.ldb,
                                    precedence=5, password_len=16,
                                    history_len=6)
        medium_pso = PasswordSettings("med-priority-PSO", self.ldb,
                                      precedence=15, password_len=10,
                                      history_len=4)
        worst_pso = PasswordSettings("lowest-priority-PSO", self.ldb,
                                     precedence=100, complexity=False,
                                     password_len=4, history_len=2)

        # handle PSO clean-up (as they're outside the top-level test OU)
        self.add_obj_cleanup([worst_pso.dn, medium_pso.dn, best_pso.dn])

        # create some groups and apply the PSOs to the groups
        group1 = self.add_group("Group-1")
        group2 = self.add_group("Group-2")
        group3 = self.add_group("Group-3")
        group4 = self.add_group("Group-4")
        worst_pso.apply_to(group1)
        medium_pso.apply_to(group2)
        best_pso.apply_to(group3)
        worst_pso.apply_to(group4)

        # create a user and check the default settings apply to it
        user = self.add_user("testuser")
        self.assert_PSO_applied(user, self.pwd_defaults)

        # add user to a group. Check that the group's PSO applies to the user
        self.set_attribute(group1, "member", user.dn)
        self.assert_PSO_applied(user, worst_pso)

        # add the user to a group with a higher precedence PSO and and check
        # that now trumps the previous PSO
        self.set_attribute(group2, "member", user.dn)
        self.assert_PSO_applied(user, medium_pso)

        # add the user to the remaining groups. The highest precedence PSO
        # should now take effect
        self.set_attribute(group3, "member", user.dn)
        self.set_attribute(group4, "member", user.dn)
        self.assert_PSO_applied(user, best_pso)

        # delete a group membership and check the PSO changes
        self.set_attribute(group3, "member", user.dn, operation=FLAG_MOD_DELETE)
        self.assert_PSO_applied(user, medium_pso)

        # apply the low-precedence PSO directly to the user
        # (directly applied PSOs should trump higher precedence group PSOs)
        worst_pso.apply_to(user.dn)
        self.assert_PSO_applied(user, worst_pso)

        # remove applying the PSO directly to the user and check PSO changes
        worst_pso.unapply(user.dn)
        self.assert_PSO_applied(user, medium_pso)

        # remove all appliesTo and check we have the default settings again
        worst_pso.unapply(group1)
        medium_pso.unapply(group2)
        worst_pso.unapply(group4)
        self.assert_PSO_applied(user, self.pwd_defaults)

    def test_pso_nested_groups(self):
        """PSOs operate correctly when applied to nested groups"""

        # create some PSOs that vary in priority and basic password-len
        group1_pso = PasswordSettings("group1-PSO", self.ldb, precedence=50,
                                      password_len=12, history_len=3)
        group2_pso = PasswordSettings("group2-PSO", self.ldb, precedence=25,
                                      password_len=10, history_len=5,
                                      complexity=False)
        group3_pso = PasswordSettings("group3-PSO", self.ldb, precedence=10,
                                      password_len=6, history_len=2)

        # create some groups and apply the PSOs to the groups
        group1 = self.add_group("Group-1")
        group2 = self.add_group("Group-2")
        group3 = self.add_group("Group-3")
        group4 = self.add_group("Group-4")
        group1_pso.apply_to(group1)
        group2_pso.apply_to(group2)
        group3_pso.apply_to(group3)

        # create a PSO and apply it to a group that the user is not a member
        # of - it should not have any effect on the user
        unused_pso = PasswordSettings("unused-PSO", self.ldb, precedence=1,
                                      password_len=20)
        unused_pso.apply_to(group4)

        # handle PSO clean-up (as they're outside the top-level test OU)
        self.add_obj_cleanup([group1_pso.dn, group2_pso.dn, group3_pso.dn,
                              unused_pso.dn])

        # create a user and check the default settings apply to it
        user = self.add_user("testuser")
        self.assert_PSO_applied(user, self.pwd_defaults)

        # add user to a group. Check that the group's PSO applies to the user
        self.set_attribute(group1, "member", user.dn)
        self.set_attribute(group2, "member", group1)
        self.assert_PSO_applied(user, group2_pso)

        # add another level to the group heirachy & check this PSO takes effect
        self.set_attribute(group3, "member", group2)
        self.assert_PSO_applied(user, group3_pso)

        # invert the PSO precedence and check the new lowest value takes effect
        group1_pso.set_precedence(3)
        group2_pso.set_precedence(13)
        group3_pso.set_precedence(33)
        self.assert_PSO_applied(user, group1_pso)

        # delete a PSO and check it no longer applies
        self.ldb.delete(group1_pso.dn)
        self.test_objs.remove(group1_pso.dn)
        self.assert_PSO_applied(user, group2_pso)

    def get_guid(self, dn):
        res = self.ldb.search(base=dn, attrs=["objectGUID"], scope=ldb.SCOPE_BASE)
        return res[0]['objectGUID'][0]

    def guid_string(self, guid):
        return self.ldb.schema_format_value("objectGUID", guid)

    def PSO_with_lowest_GUID(self, pso_list):
        """Returns the PSO object in the list with the lowest GUID"""
        # go through each PSO and fetch its GUID
        guid_list = []
        mapping = {}
        for pso in pso_list:
            guid = self.get_guid(pso.dn)
            guid_list.append(guid)
            # remember which GUID maps to what PSO
            mapping[guid] = pso

        # sort the GUID list to work out the lowest/best GUID
        guid_list.sort()
        best_guid = guid_list[0]

        # sanity-check the mapping between GUID and DN is correct
        self.assertEqual(self.guid_string(self.get_guid(mapping[best_guid].dn)),
                         self.guid_string(best_guid))

        # return the PSO that this GUID corresponds to
        return mapping[best_guid]

    def test_pso_equal_precedence(self):
        """Tests expected PSO wins when several have the same precedence"""

        # create some PSOs that vary in priority and basic password-len
        pso1 = PasswordSettings("PSO-1", self.ldb, precedence=5, history_len=1,
                                password_len=11)
        pso2 = PasswordSettings("PSO-2", self.ldb, precedence=5, history_len=2,
                                password_len=8)
        pso3 = PasswordSettings("PSO-3", self.ldb, precedence=5, history_len=3,
                                password_len=5, complexity=False)
        pso4 = PasswordSettings("PSO-4", self.ldb, precedence=5, history_len=4,
                                password_len=13, complexity=False)

        # handle PSO clean-up (as they're outside the top-level test OU)
        self.add_obj_cleanup([pso1.dn, pso2.dn, pso3.dn, pso4.dn])

        # create some groups and apply the PSOs to the groups
        group1 = self.add_group("Group-1")
        group2 = self.add_group("Group-2")
        group3 = self.add_group("Group-3")
        group4 = self.add_group("Group-4")
        pso1.apply_to(group1)
        pso2.apply_to(group2)
        pso3.apply_to(group3)
        pso4.apply_to(group4)

        # create a user and check the default settings apply to it
        user = self.add_user("testuser")
        self.assert_PSO_applied(user, self.pwd_defaults)

        # add the user to all the groups
        self.set_attribute(group1, "member", user.dn)
        self.set_attribute(group2, "member", user.dn)
        self.set_attribute(group3, "member", user.dn)
        self.set_attribute(group4, "member", user.dn)

        # precedence is equal, so the PSO with lowest GUID gets applied
        pso_list = [pso1, pso2, pso3, pso4]
        best_pso = self.PSO_with_lowest_GUID(pso_list)
        self.assert_PSO_applied(user, best_pso)

        # excluding the winning PSO, apply the other PSOs directly to the user
        pso_list.remove(best_pso)
        for pso in pso_list:
            pso.apply_to(user.dn)

        # we should now have a different PSO applied (the 2nd lowest GUID)
        next_best_pso = self.PSO_with_lowest_GUID(pso_list)
        self.assertTrue(next_best_pso is not best_pso)
        self.assert_PSO_applied(user, next_best_pso)

        # bump the precedence of another PSO and it should now win
        pso_list.remove(next_best_pso)
        best_pso = pso_list[0]
        best_pso.set_precedence(4)
        self.assert_PSO_applied(user, best_pso)

    def test_pso_invalid_location(self):
        """Tests that PSOs in an invalid location have no effect"""

        # PSOs should only be able to be created within a Password Settings
        # Container object. Trying to create one under an OU should fail
        try:
            rogue_pso = PasswordSettings("rogue-PSO", self.ldb, precedence=1,
                                         complexity=False, password_len=20,
                                         container=self.ou)
            self.fail()
        except ldb.LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ldb.ERR_NAMING_VIOLATION, msg)
            # Windows returns 2099 (Illegal superior), Samba returns 2037
            # (Naming violation - "not a valid child class")
            self.assertTrue('00002099' in msg or '00002037' in msg, msg)

        # we can't create Password Settings Containers under an OU either
        try:
            rogue_psc = "CN=Rogue-PSO-container,%s" % self.ou
            self.ldb.add({"dn": rogue_psc,
                          "objectclass": "msDS-PasswordSettingsContainer"})
            self.fail()
        except ldb.LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ldb.ERR_NAMING_VIOLATION, msg)
            self.assertTrue('00002099' in msg or '00002037' in msg, msg)

        base_dn = self.ldb.get_default_basedn()
        rogue_psc = "CN=Rogue-PSO-container,CN=Computers,%s" % base_dn
        self.ldb.add({"dn": rogue_psc,
                      "objectclass": "msDS-PasswordSettingsContainer"})

        rogue_pso = PasswordSettings("rogue-PSO", self.ldb, precedence=1,
                                     container=rogue_psc, password_len=20)
        self.add_obj_cleanup([rogue_pso.dn, rogue_psc])

        # apply the PSO to a group and check it has no effect on the user
        user = self.add_user("testuser")
        group = self.add_group("Group-1")
        rogue_pso.apply_to(group)
        self.set_attribute(group, "member", user.dn)
        self.assert_PSO_applied(user, self.pwd_defaults)

        # apply the PSO directly to the user and check it has no effect
        rogue_pso.apply_to(user.dn)
        self.assert_PSO_applied(user, self.pwd_defaults)

    # the PSOs created in these test-cases all use a default min-age of zero.
    # This is the only test case that checks the PSO's min-age is enforced
    def test_pso_min_age(self):
        """Tests that a PSO's min-age is enforced"""
        pso = PasswordSettings("min-age-PSO", self.ldb, password_len=10,
                               password_age_min=2, complexity=False)
        self.add_obj_cleanup([pso.dn])

        # create a user and apply the PSO
        user = self.add_user("testuser")
        pso.apply_to(user.dn)
        self.assertTrue(user.get_resultant_PSO() == pso.dn)

        # changing the password immediately should fail, even if password is valid
        valid_password = "min-age-passwd"
        self.assert_password_invalid(user, valid_password)
        # then trying the same password later should succeed
        time.sleep(pso.password_age_min + 0.5)
        self.assert_password_valid(user, valid_password)

    def test_pso_max_age(self):
        """Tests that a PSO's max-age is used"""

        # create PSOs that use the domain's max-age +/- 1 day
        domain_max_age = self.pwd_defaults.password_age_max
        day_in_secs = 60 * 60 * 24
        higher_max_age = domain_max_age + day_in_secs
        lower_max_age = domain_max_age - day_in_secs
        longer_pso = PasswordSettings("longer-age-PSO", self.ldb, precedence=5,
                                      password_age_max=higher_max_age)
        shorter_pso = PasswordSettings("shorter-age-PSO", self.ldb,
                                       precedence=1,
                                       password_age_max=lower_max_age)
        self.add_obj_cleanup([longer_pso.dn, shorter_pso.dn])

        user = self.add_user("testuser")

        # we can't wait around long enough for the max-age to expire, so instead
        # just check the msDS-UserPasswordExpiryTimeComputed for the user
        attrs=['msDS-UserPasswordExpiryTimeComputed']
        res = self.ldb.search(user.dn, attrs=attrs)
        domain_expiry = int(res[0]['msDS-UserPasswordExpiryTimeComputed'][0])

        # apply the longer PSO and check the expiry-time becomes longer
        longer_pso.apply_to(user.dn)
        self.assertTrue(user.get_resultant_PSO() == longer_pso.dn)
        res = self.ldb.search(user.dn, attrs=attrs)
        new_expiry = int(res[0]['msDS-UserPasswordExpiryTimeComputed'][0])

        # use timestamp diff of 1 day - 1 minute. The new expiry should still
        # be greater than this, without getting into nano-second granularity
        approx_timestamp_diff = (day_in_secs - 60) * (1e7)
        self.assertTrue(new_expiry > domain_expiry + approx_timestamp_diff)

        # apply the shorter PSO and check the expiry-time is shorter
        shorter_pso.apply_to(user.dn)
        self.assertTrue(user.get_resultant_PSO() == shorter_pso.dn)
        res = self.ldb.search(user.dn, attrs=attrs)
        new_expiry = int(res[0]['msDS-UserPasswordExpiryTimeComputed'][0])
        self.assertTrue(new_expiry < domain_expiry - approx_timestamp_diff)

    def test_pso_special_groups(self):
        """Checks applying a PSO to built-in AD groups takes effect"""

        # create some PSOs that will apply to special groups
        default_pso = PasswordSettings("default-PSO", self.ldb, precedence=20,
                                       password_len=8, complexity=False)
        guest_pso = PasswordSettings("guest-PSO", self.ldb, history_len=4,
                                     precedence=5, password_len=5)
        builtin_pso = PasswordSettings("builtin-PSO", self.ldb, history_len=9,
                                       precedence=1, password_len=9)
        admin_pso = PasswordSettings("admin-PSO", self.ldb, history_len=0,
                                     precedence=2, password_len=10)
        self.add_obj_cleanup([default_pso.dn, guest_pso.dn, admin_pso.dn,
                              builtin_pso.dn])
        domain_users = "CN=Domain Users,CN=Users,%s" % self.ldb.domain_dn()
        domain_guests = "CN=Domain Guests,CN=Users,%s" % self.ldb.domain_dn()
        admin_users = "CN=Domain Admins,CN=Users,%s" % self.ldb.domain_dn()

        # if we apply a PSO to Domain Users (which all users are a member of)
        # then that PSO should take effect on a new user
        default_pso.apply_to(domain_users)
        user = self.add_user("testuser")
        self.assert_PSO_applied(user, default_pso)

        # Apply a PSO to a builtin group. 'Domain Users' should be a member of
        # Builtin/Users, but builtin groups should be excluded from the PSO
        # calculation, so this should have no effect
        builtin_pso.apply_to("CN=Users,CN=Builtin,%s" % self.ldb.domain_dn())
        builtin_pso.apply_to("CN=Administrators,CN=Builtin,%s" % self.ldb.domain_dn())
        self.assert_PSO_applied(user, default_pso)

        # change the user's primary group to another group (the primaryGroupID
        # is a little odd in that there's no memberOf backlink for it)
        self.set_attribute(domain_guests, "member", user.dn)
        user.set_primary_group(domain_guests)
        # No PSO is applied to the Domain Guests yet, so the default PSO should
        # still apply
        self.assert_PSO_applied(user, default_pso)

        # now apply a PSO to the guests group, which should trump the default
        # PSO (because the guest PSO has a better precedence)
        guest_pso.apply_to(domain_guests)
        self.assert_PSO_applied(user, guest_pso)

        # create a new group that's a member of Admin Users
        nested_group = self.add_group("nested-group")
        self.set_attribute(admin_users, "member", nested_group)
        # set the user's primary-group to be the new group
        self.set_attribute(nested_group, "member", user.dn)
        user.set_primary_group(nested_group)
        # we've only changed group membership so far, not the PSO
        self.assert_PSO_applied(user, guest_pso)

        # now apply the best-precedence PSO to Admin Users and check it applies
        # to the user (via the nested-group's membership)
        admin_pso.apply_to(admin_users)
        self.assert_PSO_applied(user, admin_pso)

        # restore the default primaryGroupID so we can safely delete the group
        user.set_primary_group(domain_users)

    def test_pso_none_applied(self):
        """Tests cases where no Resultant PSO should be returned"""

        # create a PSO that we will check *doesn't* get returned
        dummy_pso = PasswordSettings("dummy-PSO", self.ldb, password_len=20)
        self.add_obj_cleanup([dummy_pso.dn])

        # you can apply a PSO to other objects (like OUs), but the resultantPSO
        # attribute should only be returned for users
        dummy_pso.apply_to(str(self.ou))
        res = self.ldb.search(self.ou, attrs=['msDS-ResultantPSO'])
        self.assertFalse('msDS-ResultantPSO' in res[0])

        # create a dummy user and apply the PSO
        user = self.add_user("testuser")
        dummy_pso.apply_to(user.dn)
        self.assertTrue(user.get_resultant_PSO() == dummy_pso.dn)

        # now clear the ADS_UF_NORMAL_ACCOUNT flag for the user, which should
        # mean a resultant PSO is no longer returned (we're essentially turning
        # the user into a DC here, which is a little overkill but tests
        # behaviour as per the Windows specification)
        self.set_attribute(user.dn, "userAccountControl",
                           str(dsdb.UF_WORKSTATION_TRUST_ACCOUNT),
                           operation=FLAG_MOD_REPLACE)
        self.assertIsNone(user.get_resultant_PSO())

        # reset it back to a normal user account
        self.set_attribute(user.dn, "userAccountControl",
                           str(dsdb.UF_NORMAL_ACCOUNT),
                           operation=FLAG_MOD_REPLACE)
        self.assertTrue(user.get_resultant_PSO() == dummy_pso.dn)

        # no PSO should be returned if RID is equal to DOMAIN_USER_RID_KRBTGT
        # (note this currently fails against Windows due to a Windows bug)
        krbtgt_user = "CN=krbtgt,CN=Users,%s" % self.ldb.domain_dn()
        dummy_pso.apply_to(krbtgt_user)
        res = self.ldb.search(krbtgt_user, attrs=['msDS-ResultantPSO'])
        self.assertFalse('msDS-ResultantPSO' in res[0])

    def get_ldb_connection(self, username, password, ldaphost):
        """Returns an LDB connection using the specified user's credentials"""
        creds = self.get_credentials()
        creds_tmp = Credentials()
        creds_tmp.set_username(username)
        creds_tmp.set_password(password)
        creds_tmp.set_domain(creds.get_domain())
        creds_tmp.set_realm(creds.get_realm())
        creds_tmp.set_workstation(creds.get_workstation())
        creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
                                      | gensec.FEATURE_SEAL)
        return samba.tests.connect_samdb(ldaphost, credentials=creds_tmp)

    def test_pso_permissions(self):
        """Checks that regular users can't modify/view PSO objects"""

        user = self.add_user("testuser")

        # get an ldb connection with the new user's privileges
        user_ldb = self.get_ldb_connection("testuser", user.get_password(),
                                           self.host_url)

        # regular users should not be able to create a PSO (at least, not in
        # the default Password Settings container)
        try:
            priv_pso = PasswordSettings("priv-PSO", user_ldb, password_len=20)
            self.fail()
        except ldb.LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)

        # create a PSO as the admin user
        priv_pso = PasswordSettings("priv-PSO", self.ldb, password_len=20)
        self.add_obj_cleanup([priv_pso.dn])

        # regular users should not be able to apply a PSO to a user
        try:
            self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
                               samdb=user_ldb)
            self.fail()
        except ldb.LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
            self.assertTrue('00002098' in msg, msg)

        self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
                           samdb=self.ldb)

        # regular users should not be able to change a PSO's precedence
        try:
            priv_pso.set_precedence(100, samdb=user_ldb)
            self.fail()
        except ldb.LdbError as e:
            (num, msg) = e.args
            self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
            self.assertTrue('00002098' in msg, msg)

        priv_pso.set_precedence(100, samdb=self.ldb)

        # regular users should not be able to view a PSO's settings
        pso_attrs = ["msDS-PSOAppliesTo", "msDS-PasswordSettingsPrecedence",
                     "msDS-PasswordHistoryLength", "msDS-LockoutThreshold",
                     "msDS-PasswordComplexityEnabled"]

        # users can see the PSO object's DN, but not its attributes
        res = user_ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE,
                              attrs=pso_attrs)
        self.assertTrue(str(priv_pso.dn) == str(res[0].dn))
        for attr in pso_attrs:
            self.assertFalse(attr in res[0])

        # whereas admin users can see everything
        res = self.ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE,
                              attrs=pso_attrs)
        for attr in pso_attrs:
            self.assertTrue(attr in res[0])

        # check replace/delete operations can't be performed by regular users
        operations = [ FLAG_MOD_REPLACE, FLAG_MOD_DELETE ]

        for oper in operations:
            try:
                self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
                                   samdb=user_ldb, operation=oper)
                self.fail()
            except ldb.LdbError as e:
                (num, msg) = e.args
                self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
                self.assertTrue('00002098' in msg, msg)

            # ...but can be performed by the admin user
            self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
                               samdb=self.ldb, operation=oper)

    # The 'user add' case is a bit more complicated as you can't really query
    # the msDS-ResultantPSO attribute on a user that doesn't exist yet (it
    # won't have any group membership or PSOs applied directly against it yet).
    # In theory it's possible to still get an applicable PSO via the user's
    # primaryGroupID (i.e. 'Domain Users' by default). However, testing aginst
    # Windows shows that the PSO doesn't take effect during the user add
    # operation. (However, the Windows GUI tools presumably adds the user in 2
    # steps, because it does enforce the PSO for users added via the GUI).
    def test_pso_add_user(self):
        """Tests against a 'Domain Users' PSO taking effect on a new user"""

        # create a PSO that will apply to users by default
        default_pso = PasswordSettings("default-PSO", self.ldb, precedence=20,
                                       password_len=12, complexity=False)
        self.add_obj_cleanup([default_pso.dn])

        # apply the PSO to Domain Users (which all users are a member of). In
        # theory, this PSO *could* take effect on a new user (but it doesn't)
        domain_users = "CN=Domain Users,CN=Users,%s" % self.ldb.domain_dn()
        default_pso.apply_to(domain_users)

        # first try to add a user with a password that doesn't meet the domain
        # defaults, to prove that the DC will reject bad passwords during a
        # user add
        userdn = "CN=testuser,%s" % self.ou
        password = base64.b64encode('"abcdef"'.encode('utf-16-le')).decode('utf8')

        # Note we use an LDIF operation to ensure that the password gets set
        # as part of the 'add' operation (whereas self.add_user() adds the user
        # first, then sets the password later in a 2nd step)
        try:
            ldif = """
dn: %s
objectClass: user
sAMAccountName: testuser
unicodePwd:: %s
""" % (userdn, password)
            self.ldb.add_ldif(ldif)
            self.fail()
        except ldb.LdbError as e:
                (num, msg) = e.args
                # error codes differ between Samba and Windows
                self.assertTrue(num == ldb.ERR_UNWILLING_TO_PERFORM or
                                num == ldb.ERR_CONSTRAINT_VIOLATION, msg)
                self.assertTrue('0000052D' in msg, msg)

        # now use a password that meets the domain defaults, but doesn't meet
        # the PSO requirements. Note that Windows allows this, i.e. it doesn't
        # honour the PSO during the add operation
        password = base64.b64encode('"abcde12#"'.encode('utf-16-le')).decode('utf8')
        ldif = """
dn: %s
objectClass: user
sAMAccountName: testuser
unicodePwd:: %s
""" % (userdn, password)
        self.ldb.add_ldif(ldif)

        # Now do essentially the same thing, but set the password in a 2nd step
        # which proves that the same password doesn't meet the PSO requirements
        userdn = "CN=testuser2,%s" % self.ou
        ldif = """
dn: %s
objectClass: user
sAMAccountName: testuser2
""" % userdn
        self.ldb.add_ldif(ldif)

        # now that the user exists, assert that the PSO is honoured
        try:
            ldif = """
dn: %s
changetype: modify
delete: unicodePwd
add: unicodePwd
unicodePwd:: %s
""" % (userdn, password)
            self.ldb.modify_ldif(ldif)
            self.fail()
        except ldb.LdbError as e:
                (num, msg) = e.args
                self.assertEquals(num, ldb.ERR_CONSTRAINT_VIOLATION, msg)
                self.assertTrue('0000052D' in msg, msg)

        # check setting a password that meets the PSO settings works
        password = base64.b64encode('"abcdefghijkl"'.encode('utf-16-le')).decode('utf8')
        ldif = """
dn: %s
changetype: modify
delete: unicodePwd
add: unicodePwd
unicodePwd:: %s
""" % (userdn, password)
        self.ldb.modify_ldif(ldif)

    def set_domain_pwdHistoryLength(self, value):
        m = ldb.Message()
        m.dn = ldb.Dn(self.ldb, self.ldb.domain_dn())
        m["pwdHistoryLength"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
        self.ldb.modify(m)

    def test_domain_pwd_history(self):
        """Non-PSO test for domain's pwdHistoryLength setting"""

        # restore the current pwdHistoryLength setting after the test completes
        curr_hist_len = str(self.pwd_defaults.history_len)
        self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)

        self.set_domain_pwdHistoryLength("4")
        user = self.add_user("testuser")

        initial_pwd = user.get_password()
        passwords = ["First12#", "Second12#", "Third12#", "Fourth12#"]

        # we should be able to set the password to new values OK
        for pwd in passwords:
            self.assert_password_valid(user, pwd)

        # the 2nd time round it should fail because they're in the history now
        for pwd in passwords:
            self.assert_password_invalid(user, pwd)

        # but the initial password is now outside the history, so should be OK
        self.assert_password_valid(user, initial_pwd)

        # if we set the history to zero, all the old passwords should now be OK
        self.set_domain_pwdHistoryLength("0")
        for pwd in passwords:
            self.assert_password_valid(user, pwd)

    def test_domain_pwd_history_zero(self):
        """Non-PSO test for pwdHistoryLength going from zero to non-zero"""

        # restore the current pwdHistoryLength setting after the test completes
        curr_hist_len = str(self.pwd_defaults.history_len)
        self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)

        self.set_domain_pwdHistoryLength("0")
        user = self.add_user("testuser")

        initial_pwd = user.get_password()
        self.assert_password_valid(user, "NewPwd12#")
        # we can set the exact same password again because there's no history
        self.assert_password_valid(user, "NewPwd12#")

        # There is a difference in behaviour here between Windows and Samba.
        # When going from zero to non-zero password-history, Windows treats
        # the current user's password as invalid (even though the password has
        # not been altered since the setting changed). Whereas Samba accepts
        # the current password (because it's not in the history until the
        # *next* time the user's password changes.
        self.set_domain_pwdHistoryLength("1")
        self.assert_password_invalid(user, "NewPwd12#")