2 # -*- coding: utf-8 -*-
11 sys.path.append("bin/python")
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
16 import samba.getopt as options
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
25 from samba import gensec
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
36 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
41 # use command line creds if available
42 credopts = options.CredentialsOptions(parser)
43 parser.add_option_group(credopts)
44 opts, args = parser.parse_args()
52 lp = sambaopts.get_loadparm()
53 creds = credopts.get_credentials(lp)
54 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
60 class DescriptorTests(samba.tests.TestCase):
62 def delete_force(self, ldb, dn):
65 except LdbError, (num, _):
66 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
68 def find_domain_sid(self, ldb):
69 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
70 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
72 def get_users_domain_dn(self, name):
73 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
75 def modify_desc(self, _ldb, object_dn, desc, controls=None):
76 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
78 dn: """ + object_dn + """
80 replace: nTSecurityDescriptor
82 if isinstance(desc, str):
83 mod += "nTSecurityDescriptor: %s" % desc
84 elif isinstance(desc, security.descriptor):
85 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
86 _ldb.modify_ldif(mod, controls)
88 def get_unique_schema_class_name(self):
90 class_name = "test-class%s" % random.randint(1,100000)
91 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
93 self.ldb_admin.search(base=class_dn, attrs=["*"])
94 except LdbError, (num, _):
95 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
98 def create_schema_class(self, _ldb, object_dn, desc=None):
100 dn: """ + object_dn + """
101 objectClass: classSchema
102 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
103 defaultObjectCategory: """ + object_dn + """
104 distinguishedName: """ + object_dn + """
105 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
107 objectClassCategory: 1
108 subClassOf: organizationalPerson
111 systemMustContain: cn
115 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
116 if isinstance(desc, str):
117 ldif += "nTSecurityDescriptor: %s" % desc
118 elif isinstance(desc, security.descriptor):
119 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
122 def create_configuration_container(self, _ldb, object_dn, desc=None):
124 dn: """ + object_dn + """
125 objectClass: container
126 objectCategory: CN=Container,""" + self.schema_dn + """
127 showInAdvancedViewOnly: TRUE
131 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
132 if isinstance(desc, str):
133 ldif += "nTSecurityDescriptor: %s" % desc
134 elif isinstance(desc, security.descriptor):
135 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
138 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
140 dn: """ + object_dn + """
141 objectClass: displaySpecifier
142 showInAdvancedViewOnly: TRUE
145 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
146 if isinstance(desc, str):
147 ldif += "nTSecurityDescriptor: %s" % desc
148 elif isinstance(desc, security.descriptor):
149 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
152 def read_desc(self, object_dn, controls=None):
153 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
154 desc = res[0]["nTSecurityDescriptor"][0]
155 return ndr_unpack(security.descriptor, desc)
157 def get_ldb_connection(self, target_username, target_password):
158 creds_tmp = Credentials()
159 creds_tmp.set_username(target_username)
160 creds_tmp.set_password(target_password)
161 creds_tmp.set_domain(creds.get_domain())
162 creds_tmp.set_realm(creds.get_realm())
163 creds_tmp.set_workstation(creds.get_workstation())
164 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
165 | gensec.FEATURE_SEAL)
166 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
169 def get_object_sid(self, object_dn):
170 res = self.ldb_admin.search(object_dn)
171 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
173 def dacl_add_ace(self, object_dn, ace):
174 desc = self.read_desc( object_dn )
175 desc_sddl = desc.as_sddl( self.domain_sid )
178 if desc_sddl.find("(") >= 0:
179 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
181 desc_sddl = desc_sddl + ace
182 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
184 def get_desc_sddl(self, object_dn, controls=None):
185 """ Return object nTSecutiryDescriptor in SDDL format
187 desc = self.read_desc(object_dn, controls)
188 return desc.as_sddl(self.domain_sid)
191 super(DescriptorTests, self).setUp()
193 self.base_dn = ldb.domain_dn()
194 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
195 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
196 self.domain_sid = self.find_domain_sid(self.ldb_admin)
197 print "baseDN: %s" % self.base_dn
199 ################################################################################################
203 # Default descriptor tests #####################################################################
205 class OwnerGroupDescriptorTests(DescriptorTests):
208 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
209 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
210 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
211 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
212 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
213 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
214 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
215 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
217 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
218 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
219 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
220 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
223 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
224 + self.configuration_dn)
225 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
228 super(OwnerGroupDescriptorTests, self).setUp()
231 # User 1 - Enterprise Admins
232 self.ldb_admin.newuser("testuser1", "samba123@")
233 # User 2 - Domain Admins
234 self.ldb_admin.newuser("testuser2", "samba123@")
235 # User 3 - Schema Admins
236 self.ldb_admin.newuser("testuser3", "samba123@")
237 # User 4 - regular user
238 self.ldb_admin.newuser("testuser4", "samba123@")
239 # User 5 - Enterprise Admins and Domain Admins
240 self.ldb_admin.newuser("testuser5", "samba123@")
241 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
242 self.ldb_admin.newuser("testuser6", "samba123@")
243 # User 7 - Domain Admins and Schema Admins
244 self.ldb_admin.newuser("testuser7", "samba123@")
245 # User 5 - Enterprise Admins and Schema Admins
246 self.ldb_admin.newuser("testuser8", "samba123@")
248 self.ldb_admin.add_remove_group_members("Enterprise Admins",
249 "testuser1,testuser5,testuser6,testuser8",
250 add_members_operation=True)
251 self.ldb_admin.add_remove_group_members("Domain Admins",
252 "testuser2,testuser5,testuser6,testuser7",
253 add_members_operation=True)
254 self.ldb_admin.add_remove_group_members("Schema Admins",
255 "testuser3,testuser6,testuser7,testuser8",
256 add_members_operation=True)
259 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
260 "ds_behavior_win2003" : {
310 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
311 "ds_behavior_win2008" : {
362 # Discover 'msDS-Behavior-Version'
363 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
364 attrs=['msDS-Behavior-Version'])
365 res = int(res[0]['msDS-Behavior-Version'][0])
366 if res < DS_DOMAIN_FUNCTION_2008:
367 self.DS_BEHAVIOR = "ds_behavior_win2003"
369 self.DS_BEHAVIOR = "ds_behavior_win2008"
372 super(DescriptorTests, self).tearDown()
375 def check_user_belongs(self, user_dn, groups=[]):
376 """ Test wether user is member of the expected group(s) """
378 # User is member of at least one additional group
379 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
380 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
383 expected.append(self.get_users_domain_dn(x))
384 expected = [x.upper() for x in sorted(expected)]
385 self.assertEqual(expected, res)
387 # User is not a member of any additional groups but default
388 res = self.ldb_admin.search(user_dn, attrs=["*"])
389 res = [x.upper() for x in res[0].keys()]
390 self.assertFalse( "MEMBEROF" in res)
392 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
394 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
395 if owner_group != "":
396 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
398 self.modify_desc(_ldb, object_dn, "D:" + ace)
399 # Make sure the modify operation has been applied
400 desc_sddl = self.get_desc_sddl(object_dn)
401 self.assertTrue(ace in desc_sddl)
402 # Make sure we have identical result for both "add" and "modify"
403 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
404 print self._testMethodName
405 test_number = self._testMethodName[5:]
406 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
409 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
411 user_name = "testuser1"
412 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
413 # Open Ldb connection with the tested user
414 _ldb = self.get_ldb_connection(user_name, "samba123@")
415 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
416 self.delete_force(self.ldb_admin, object_dn)
417 _ldb.newgroup("test_domain_group1", grouptype=4)
418 desc_sddl = self.get_desc_sddl(object_dn)
419 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
420 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
421 self.check_modify_inheritance(_ldb, object_dn)
424 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
426 user_name = "testuser2"
427 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
428 # Open Ldb connection with the tested user
429 _ldb = self.get_ldb_connection(user_name, "samba123@")
430 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
431 self.delete_force(self.ldb_admin, object_dn)
432 _ldb.newgroup("test_domain_group1", grouptype=4)
433 desc_sddl = self.get_desc_sddl(object_dn)
434 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
435 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
436 self.check_modify_inheritance(_ldb, object_dn)
439 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
441 user_name = "testuser3"
442 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
443 # Open Ldb connection with the tested user
444 _ldb = self.get_ldb_connection(user_name, "samba123@")
445 object_dn = "OU=test_domain_ou1," + self.base_dn
446 self.delete_force(self.ldb_admin, object_dn)
447 self.ldb_admin.create_ou(object_dn)
448 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
449 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
450 self.dacl_add_ace(object_dn, mod)
451 # Create additional object into the first one
452 object_dn = "CN=test_domain_user1," + object_dn
453 self.delete_force(self.ldb_admin, object_dn)
454 _ldb.newuser("test_domain_user1", "samba123@",
455 userou="OU=test_domain_ou1", setpassword=False)
456 desc_sddl = self.get_desc_sddl(object_dn)
457 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
458 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
459 # This fails, research why
460 #self.check_modify_inheritance(_ldb, object_dn)
463 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
465 user_name = "testuser4"
466 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
467 # Open Ldb connection with the tested user
468 _ldb = self.get_ldb_connection(user_name, "samba123@")
469 object_dn = "OU=test_domain_ou1," + self.base_dn
470 self.delete_force(self.ldb_admin, object_dn)
471 self.ldb_admin.create_ou(object_dn)
472 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
473 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
474 self.dacl_add_ace(object_dn, mod)
475 # Create additional object into the first one
476 object_dn = "CN=test_domain_user1," + object_dn
477 self.delete_force(self.ldb_admin, object_dn)
478 _ldb.newuser("test_domain_user1", "samba123@",
479 userou="OU=test_domain_ou1", setpassword=False)
480 desc_sddl = self.get_desc_sddl(object_dn)
481 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
482 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
483 #this fails, research why
484 #self.check_modify_inheritance(_ldb, object_dn)
487 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
489 user_name = "testuser5"
490 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
491 # Open Ldb connection with the tested user
492 _ldb = self.get_ldb_connection(user_name, "samba123@")
493 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
494 self.delete_force(self.ldb_admin, object_dn)
495 _ldb.newgroup("test_domain_group1", grouptype=4)
496 desc_sddl = self.get_desc_sddl(object_dn)
497 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
498 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
499 self.check_modify_inheritance(_ldb, object_dn)
502 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
504 user_name = "testuser6"
505 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
506 # Open Ldb connection with the tested user
507 _ldb = self.get_ldb_connection(user_name, "samba123@")
508 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
509 self.delete_force(self.ldb_admin, object_dn)
510 _ldb.newgroup("test_domain_group1", grouptype=4)
511 desc_sddl = self.get_desc_sddl(object_dn)
512 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
513 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
514 self.check_modify_inheritance(_ldb, object_dn)
517 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
519 user_name = "testuser7"
520 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
521 # Open Ldb connection with the tested user
522 _ldb = self.get_ldb_connection(user_name, "samba123@")
523 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
524 self.delete_force(self.ldb_admin, object_dn)
525 _ldb.newgroup("test_domain_group1", grouptype=4)
526 desc_sddl = self.get_desc_sddl(object_dn)
527 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
528 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
529 self.check_modify_inheritance(_ldb, object_dn)
532 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
534 user_name = "testuser8"
535 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
536 # Open Ldb connection with the tested user
537 _ldb = self.get_ldb_connection(user_name, "samba123@")
538 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
539 self.delete_force(self.ldb_admin, object_dn)
540 _ldb.newgroup("test_domain_group1", grouptype=4)
541 desc_sddl = self.get_desc_sddl(object_dn)
542 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
543 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
544 self.check_modify_inheritance(_ldb, object_dn)
546 # Control descriptor tests #####################################################################
549 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
551 user_name = "testuser1"
552 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
553 # Open Ldb connection with the tested user
554 _ldb = self.get_ldb_connection(user_name, "samba123@")
555 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
556 self.delete_force(self.ldb_admin, object_dn)
557 # Create a custom security descriptor
558 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
559 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
560 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
561 desc_sddl = self.get_desc_sddl(object_dn)
562 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
563 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
566 """ Domain admin group member creates object (custom descriptor) in DOMAIN
568 user_name = "testuser2"
569 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
570 # Open Ldb connection with the tested user
571 _ldb = self.get_ldb_connection(user_name, "samba123@")
572 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
573 self.delete_force(self.ldb_admin, object_dn)
574 # Create a custom security descriptor
575 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
576 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
577 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
578 desc_sddl = self.get_desc_sddl(object_dn)
579 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
580 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
583 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
585 user_name = "testuser3"
586 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
587 # Open Ldb connection with the tested user
588 _ldb = self.get_ldb_connection(user_name, "samba123@")
589 object_dn = "OU=test_domain_ou1," + self.base_dn
590 self.delete_force(self.ldb_admin, object_dn)
591 self.ldb_admin.create_ou(object_dn)
592 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
593 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
594 self.dacl_add_ace(object_dn, mod)
595 # Create a custom security descriptor
596 # NB! Problematic owner part won't accept DA only <User Sid> !!!
597 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
598 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
599 # Create additional object into the first one
600 object_dn = "CN=test_domain_user1," + object_dn
601 self.delete_force(self.ldb_admin, object_dn)
602 _ldb.newuser("test_domain_user1", "samba123@",
603 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
604 desc = self.read_desc(object_dn)
605 desc_sddl = self.get_desc_sddl(object_dn)
606 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
607 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
610 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
612 user_name = "testuser4"
613 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
614 # Open Ldb connection with the tested user
615 _ldb = self.get_ldb_connection(user_name, "samba123@")
616 object_dn = "OU=test_domain_ou1," + self.base_dn
617 self.delete_force(self.ldb_admin, object_dn)
618 self.ldb_admin.create_ou(object_dn)
619 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
620 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
621 self.dacl_add_ace(object_dn, mod)
622 # Create a custom security descriptor
623 # NB! Problematic owner part won't accept DA only <User Sid> !!!
624 sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
625 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
626 # Create additional object into the first one
627 object_dn = "CN=test_domain_user1," + object_dn
628 self.delete_force(self.ldb_admin, object_dn)
629 _ldb.newuser("test_domain_user1", "samba123@",
630 userou="OU=test_domain_ou1", sd=tmp_desc, setpassword=False)
631 desc = self.read_desc(object_dn)
632 desc_sddl = self.get_desc_sddl(object_dn)
633 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
634 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
637 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
639 user_name = "testuser5"
640 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
641 # Open Ldb connection with the tested user
642 _ldb = self.get_ldb_connection(user_name, "samba123@")
643 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
644 self.delete_force(self.ldb_admin, object_dn)
645 # Create a custom security descriptor
646 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
647 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
648 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
649 desc_sddl = self.get_desc_sddl(object_dn)
650 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
651 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
654 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
656 user_name = "testuser6"
657 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
658 # Open Ldb connection with the tested user
659 _ldb = self.get_ldb_connection(user_name, "samba123@")
660 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
661 self.delete_force(self.ldb_admin, object_dn)
662 # Create a custom security descriptor
663 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
664 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
665 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
666 desc_sddl = self.get_desc_sddl(object_dn)
667 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
668 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
671 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
673 user_name = "testuser7"
674 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
675 # Open Ldb connection with the tested user
676 _ldb = self.get_ldb_connection(user_name, "samba123@")
677 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
678 self.delete_force(self.ldb_admin, object_dn)
679 # Create a custom security descriptor
680 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
681 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
682 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
683 desc_sddl = self.get_desc_sddl(object_dn)
684 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
685 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
688 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
690 user_name = "testuser8"
691 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
692 # Open Ldb connection with the tested user
693 _ldb = self.get_ldb_connection(user_name, "samba123@")
694 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
695 self.delete_force(self.ldb_admin, object_dn)
696 # Create a custom security descriptor
697 sddl = "O:DAG:DAD:(A;;RP;;;DU)"
698 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
699 _ldb.newgroup("test_domain_group1", grouptype=4, sd=tmp_desc)
700 desc_sddl = self.get_desc_sddl(object_dn)
701 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
702 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
705 user_name = "Administrator"
706 object_dn = "OU=test_domain_ou1," + self.base_dn
707 self.delete_force(self.ldb_admin, object_dn)
708 self.ldb_admin.create_ou(object_dn)
709 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
710 mod = "(D;CI;WP;;;S-1-3-0)"
712 self.dacl_add_ace(object_dn, mod)
713 desc_sddl = self.get_desc_sddl(object_dn)
714 # Create additional object into the first one
715 object_dn = "OU=test_domain_ou2," + object_dn
716 self.delete_force(self.ldb_admin, object_dn)
717 self.ldb_admin.create_ou(object_dn)
718 desc_sddl = self.get_desc_sddl(object_dn)
722 # Defalt descriptor tests ##################################################################
725 user_name = "testuser1"
726 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
727 # Open Ldb connection with the tested user
728 _ldb = self.get_ldb_connection(user_name, "samba123@")
729 # Change Schema partition descriptor
730 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
731 mod = "(A;;WDCC;;;AU)"
732 self.dacl_add_ace(self.schema_dn, mod)
733 # Create example Schema class
734 class_name = self.get_unique_schema_class_name()
735 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
736 self.create_schema_class(_ldb, class_dn)
737 desc_sddl = self.get_desc_sddl(class_dn)
738 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
739 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
740 self.check_modify_inheritance(_ldb, class_dn)
743 user_name = "testuser2"
744 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
745 # Open Ldb connection with the tested user
746 _ldb = self.get_ldb_connection(user_name, "samba123@")
747 # Change Schema partition descriptor
748 mod = "(A;CI;WDCC;;;AU)"
749 self.dacl_add_ace(self.schema_dn, mod)
750 # Create example Schema class
751 class_name = self.get_unique_schema_class_name()
752 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
753 self.create_schema_class(_ldb, class_dn)
754 desc_sddl = self.get_desc_sddl(class_dn)
755 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
756 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
757 self.check_modify_inheritance(_ldb, class_dn)
760 user_name = "testuser3"
761 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
762 # Open Ldb connection with the tested user
763 _ldb = self.get_ldb_connection(user_name, "samba123@")
764 # Change Schema partition descriptor
765 mod = "(A;CI;WDCC;;;AU)"
766 self.dacl_add_ace(self.schema_dn, mod)
767 # Create example Schema class
768 class_name = self.get_unique_schema_class_name()
769 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
770 self.create_schema_class(_ldb, class_dn)
771 desc_sddl = self.get_desc_sddl(class_dn)
772 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
773 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
774 #self.check_modify_inheritance(_ldb, class_dn)
777 user_name = "testuser4"
778 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
779 # Open Ldb connection with the tested user
780 _ldb = self.get_ldb_connection(user_name, "samba123@")
781 #Change Schema partition descriptor
782 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
783 mod = "(A;CI;WDCC;;;AU)"
784 self.dacl_add_ace(self.schema_dn, mod)
785 # Create example Schema class
786 class_name = self.get_unique_schema_class_name()
787 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
788 self.create_schema_class(_ldb, class_dn)
789 desc_sddl = self.get_desc_sddl(class_dn)
790 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
791 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
792 #self.check_modify_inheritance(_ldb, class_dn)
795 user_name = "testuser5"
796 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
797 # Open Ldb connection with the tested user
798 _ldb = self.get_ldb_connection(user_name, "samba123@")
799 #Change Schema partition descriptor
800 mod = "(A;CI;WDCC;;;AU)"
801 self.dacl_add_ace(self.schema_dn, mod)
802 # Create example Schema class
803 class_name = self.get_unique_schema_class_name()
804 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
805 self.create_schema_class(_ldb, class_dn)
806 desc_sddl = self.get_desc_sddl(class_dn)
807 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
808 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
809 self.check_modify_inheritance(_ldb, class_dn)
812 user_name = "testuser6"
813 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
814 # Open Ldb connection with the tested user
815 _ldb = self.get_ldb_connection(user_name, "samba123@")
816 # Change Schema partition descriptor
817 mod = "(A;CI;WDCC;;;AU)"
818 self.dacl_add_ace(self.schema_dn, mod)
819 # Create example Schema class
820 class_name = self.get_unique_schema_class_name()
821 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
822 self.create_schema_class(_ldb, class_dn)
823 desc_sddl = self.get_desc_sddl(class_dn)
824 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
825 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
826 self.check_modify_inheritance(_ldb, class_dn)
829 user_name = "testuser7"
830 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
831 # Open Ldb connection with the tested user
832 _ldb = self.get_ldb_connection(user_name, "samba123@")
833 # Change Schema partition descriptor
834 mod = "(A;CI;WDCC;;;AU)"
835 self.dacl_add_ace(self.schema_dn, mod)
836 # Create example Schema class
837 class_name = self.get_unique_schema_class_name()
838 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
839 self.create_schema_class(_ldb, class_dn)
840 desc_sddl = self.get_desc_sddl(class_dn)
841 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
842 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
843 self.check_modify_inheritance(_ldb, class_dn)
846 user_name = "testuser8"
847 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
848 # Open Ldb connection with the tested user
849 _ldb = self.get_ldb_connection(user_name, "samba123@")
850 # Change Schema partition descriptor
851 mod = "(A;CI;WDCC;;;AU)"
852 self.dacl_add_ace(self.schema_dn, mod)
853 # Create example Schema class
854 class_name = self.get_unique_schema_class_name()
855 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
856 self.create_schema_class(_ldb, class_dn)
857 desc_sddl = self.get_desc_sddl(class_dn)
858 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
859 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
860 self.check_modify_inheritance(_ldb, class_dn)
862 # Custom descriptor tests ##################################################################
865 user_name = "testuser1"
866 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
867 # Open Ldb connection with the tested user
868 _ldb = self.get_ldb_connection(user_name, "samba123@")
869 # Change Schema partition descriptor
871 self.dacl_add_ace(self.schema_dn, mod)
872 # Create a custom security descriptor
873 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
874 # Create example Schema class
875 class_name = self.get_unique_schema_class_name()
876 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
877 self.create_schema_class(_ldb, class_dn, desc_sddl)
878 desc_sddl = self.get_desc_sddl(class_dn)
879 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
880 self.assertEqual("O:DAG:DA", res)
883 user_name = "testuser2"
884 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
885 # Open Ldb connection with the tested user
886 _ldb = self.get_ldb_connection(user_name, "samba123@")
887 # Change Schema partition descriptor
889 self.dacl_add_ace(self.schema_dn, mod)
890 # Create a custom security descriptor
891 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
892 # Create example Schema class
893 class_name = self.get_unique_schema_class_name()
894 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
895 self.create_schema_class(_ldb, class_dn, desc_sddl)
896 desc_sddl = self.get_desc_sddl(class_dn)
897 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
898 self.assertEqual("O:DAG:DA", res)
901 user_name = "testuser3"
902 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
903 # Open Ldb connection with the tested user
904 _ldb = self.get_ldb_connection(user_name, "samba123@")
905 # Create a custom security descriptor
906 # NB! Problematic owner part won't accept DA only <User Sid> !!!
907 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
908 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
909 # Create example Schema class
910 class_name = self.get_unique_schema_class_name()
911 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
912 self.create_schema_class(_ldb, class_dn, desc_sddl)
913 desc_sddl = self.get_desc_sddl(class_dn)
914 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
915 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
918 user_name = "testuser4"
919 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
920 # Open Ldb connection with the tested user
921 _ldb = self.get_ldb_connection(user_name, "samba123@")
922 # Create a custom security descriptor
923 # NB! Problematic owner part won't accept DA only <User Sid> !!!
924 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
925 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
926 # Create example Schema class
927 class_name = self.get_unique_schema_class_name()
928 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
929 self.create_schema_class(_ldb, class_dn, desc_sddl)
930 desc_sddl = self.get_desc_sddl(class_dn)
931 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
932 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
935 user_name = "testuser5"
936 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
937 # Open Ldb connection with the tested user
938 _ldb = self.get_ldb_connection(user_name, "samba123@")
939 # Change Schema partition descriptor
941 self.dacl_add_ace(self.schema_dn, mod)
942 # Create a custom security descriptor
943 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
944 # Create example Schema class
945 class_name = self.get_unique_schema_class_name()
946 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
947 self.create_schema_class(_ldb, class_dn, desc_sddl)
948 desc_sddl = self.get_desc_sddl(class_dn)
949 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
950 self.assertEqual("O:DAG:DA", res)
953 user_name = "testuser6"
954 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
955 # Open Ldb connection with the tested user
956 _ldb = self.get_ldb_connection(user_name, "samba123@")
957 # Change Schema partition descriptor
959 self.dacl_add_ace(self.schema_dn, mod)
960 # Create a custom security descriptor
961 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
962 # Create example Schema class
963 class_name = self.get_unique_schema_class_name()
964 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
965 self.create_schema_class(_ldb, class_dn, desc_sddl)
966 desc_sddl = self.get_desc_sddl(class_dn)
967 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
968 self.assertEqual("O:DAG:DA", res)
971 user_name = "testuser7"
972 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
973 # Open Ldb connection with the tested user
974 _ldb = self.get_ldb_connection(user_name, "samba123@")
975 # Change Schema partition descriptor
977 self.dacl_add_ace(self.schema_dn, mod)
978 # Create a custom security descriptor
979 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
980 # Create example Schema class
981 class_name = self.get_unique_schema_class_name()
982 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
983 self.create_schema_class(_ldb, class_dn, desc_sddl)
984 desc_sddl = self.get_desc_sddl(class_dn)
985 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
986 self.assertEqual("O:DAG:DA", res)
989 user_name = "testuser8"
990 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
991 # Open Ldb connection with the tested user
992 _ldb = self.get_ldb_connection(user_name, "samba123@")
993 # Change Schema partition descriptor
995 self.dacl_add_ace(self.schema_dn, mod)
996 # Create a custom security descriptor
997 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
998 # Create example Schema class
999 class_name = self.get_unique_schema_class_name()
1000 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1001 self.create_schema_class(_ldb, class_dn, desc_sddl)
1002 desc_sddl = self.get_desc_sddl(class_dn)
1003 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1004 self.assertEqual("O:DAG:DA", res)
1006 ## Tests for CONFIGURATION
1008 # Defalt descriptor tests ##################################################################
1011 user_name = "testuser1"
1012 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1013 # Open Ldb connection with the tested user
1014 _ldb = self.get_ldb_connection(user_name, "samba123@")
1015 # Create example Configuration container
1016 container_name = "test-container1"
1017 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1018 self.delete_force(self.ldb_admin, object_dn)
1019 self.create_configuration_container(_ldb, object_dn, )
1020 desc_sddl = self.get_desc_sddl(object_dn)
1021 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1022 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1023 self.check_modify_inheritance(_ldb, object_dn)
1026 user_name = "testuser2"
1027 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1028 # Open Ldb connection with the tested user
1029 _ldb = self.get_ldb_connection(user_name, "samba123@")
1030 # Create example Configuration container
1031 container_name = "test-container1"
1032 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1033 self.delete_force(self.ldb_admin, object_dn)
1034 self.create_configuration_container(_ldb, object_dn, )
1035 desc_sddl = self.get_desc_sddl(object_dn)
1036 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1037 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1038 self.check_modify_inheritance(_ldb, object_dn)
1041 user_name = "testuser3"
1042 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1043 # Open Ldb connection with the tested user
1044 _ldb = self.get_ldb_connection(user_name, "samba123@")
1045 # Create example Configuration container
1046 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1047 self.delete_force(self.ldb_admin, object_dn)
1048 self.create_configuration_container(self.ldb_admin, object_dn, )
1049 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1050 mod = "(A;;WDCC;;;AU)"
1051 self.dacl_add_ace(object_dn, mod)
1052 # Create child object with user's credentials
1053 object_dn = "CN=test-specifier1," + object_dn
1054 self.delete_force(self.ldb_admin, object_dn)
1055 self.create_configuration_specifier(_ldb, object_dn)
1056 desc_sddl = self.get_desc_sddl(object_dn)
1057 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1058 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1059 #self.check_modify_inheritance(_ldb, object_dn)
1062 user_name = "testuser4"
1063 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1064 # Open Ldb connection with the tested user
1065 _ldb = self.get_ldb_connection(user_name, "samba123@")
1066 # Create example Configuration container
1067 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1068 self.delete_force(self.ldb_admin, object_dn)
1069 self.create_configuration_container(self.ldb_admin, object_dn, )
1070 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1071 mod = "(A;CI;WDCC;;;AU)"
1072 self.dacl_add_ace(object_dn, mod)
1073 # Create child object with user's credentials
1074 object_dn = "CN=test-specifier1," + object_dn
1075 self.delete_force(self.ldb_admin, object_dn)
1076 self.create_configuration_specifier(_ldb, object_dn)
1077 desc_sddl = self.get_desc_sddl(object_dn)
1078 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1079 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1080 #self.check_modify_inheritance(_ldb, object_dn)
1083 user_name = "testuser5"
1084 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1085 # Open Ldb connection with the tested user
1086 _ldb = self.get_ldb_connection(user_name, "samba123@")
1087 # Create example Configuration container
1088 container_name = "test-container1"
1089 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1090 self.delete_force(self.ldb_admin, object_dn)
1091 self.create_configuration_container(_ldb, object_dn, )
1092 desc_sddl = self.get_desc_sddl(object_dn)
1093 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1094 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1095 self.check_modify_inheritance(_ldb, object_dn)
1098 user_name = "testuser6"
1099 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1100 # Open Ldb connection with the tested user
1101 _ldb = self.get_ldb_connection(user_name, "samba123@")
1102 # Create example Configuration container
1103 container_name = "test-container1"
1104 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1105 self.delete_force(self.ldb_admin, object_dn)
1106 self.create_configuration_container(_ldb, object_dn, )
1107 desc_sddl = self.get_desc_sddl(object_dn)
1108 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1109 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1110 self.check_modify_inheritance(_ldb, object_dn)
1113 user_name = "testuser7"
1114 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1115 # Open Ldb connection with the tested user
1116 _ldb = self.get_ldb_connection(user_name, "samba123@")
1117 # Create example Configuration container
1118 container_name = "test-container1"
1119 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1120 self.delete_force(self.ldb_admin, object_dn)
1121 self.create_configuration_container(_ldb, object_dn, )
1122 desc_sddl = self.get_desc_sddl(object_dn)
1123 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1124 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1125 self.check_modify_inheritance(_ldb, object_dn)
1128 user_name = "testuser8"
1129 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1130 # Open Ldb connection with the tested user
1131 _ldb = self.get_ldb_connection(user_name, "samba123@")
1132 # Create example Configuration container
1133 container_name = "test-container1"
1134 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1135 self.delete_force(self.ldb_admin, object_dn)
1136 self.create_configuration_container(_ldb, object_dn, )
1137 desc_sddl = self.get_desc_sddl(object_dn)
1138 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1139 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1140 self.check_modify_inheritance(_ldb, object_dn)
1142 # Custom descriptor tests ##################################################################
1145 user_name = "testuser1"
1146 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1147 # Open Ldb connection with the tested user
1148 _ldb = self.get_ldb_connection(user_name, "samba123@")
1149 # Create example Configuration container
1150 container_name = "test-container1"
1151 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1152 self.delete_force(self.ldb_admin, object_dn)
1153 # Create a custom security descriptor
1154 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1155 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1156 desc_sddl = self.get_desc_sddl(object_dn)
1157 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1158 self.assertEqual("O:DAG:DA", res)
1161 user_name = "testuser2"
1162 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1163 # Open Ldb connection with the tested user
1164 _ldb = self.get_ldb_connection(user_name, "samba123@")
1165 # Create example Configuration container
1166 container_name = "test-container1"
1167 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1168 self.delete_force(self.ldb_admin, object_dn)
1169 # Create a custom security descriptor
1170 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1171 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1172 desc_sddl = self.get_desc_sddl(object_dn)
1173 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1174 self.assertEqual("O:DAG:DA", res)
1177 user_name = "testuser3"
1178 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1179 # Open Ldb connection with the tested user
1180 _ldb = self.get_ldb_connection(user_name, "samba123@")
1181 # Create example Configuration container
1182 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1183 self.delete_force(self.ldb_admin, object_dn)
1184 self.create_configuration_container(self.ldb_admin, object_dn, )
1185 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1186 mod = "(A;;CC;;;AU)"
1187 self.dacl_add_ace(object_dn, mod)
1188 # Create child object with user's credentials
1189 object_dn = "CN=test-specifier1," + object_dn
1190 self.delete_force(self.ldb_admin, object_dn)
1191 # Create a custom security descriptor
1192 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1193 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1194 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1195 desc_sddl = self.get_desc_sddl(object_dn)
1196 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1197 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1200 user_name = "testuser4"
1201 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1202 # Open Ldb connection with the tested user
1203 _ldb = self.get_ldb_connection(user_name, "samba123@")
1204 # Create example Configuration container
1205 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1206 self.delete_force(self.ldb_admin, object_dn)
1207 self.create_configuration_container(self.ldb_admin, object_dn, )
1208 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1209 mod = "(A;;CC;;;AU)"
1210 self.dacl_add_ace(object_dn, mod)
1211 # Create child object with user's credentials
1212 object_dn = "CN=test-specifier1," + object_dn
1213 self.delete_force(self.ldb_admin, object_dn)
1214 # Create a custom security descriptor
1215 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1216 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1217 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1218 desc_sddl = self.get_desc_sddl(object_dn)
1219 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1220 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1223 user_name = "testuser5"
1224 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1225 # Open Ldb connection with the tested user
1226 _ldb = self.get_ldb_connection(user_name, "samba123@")
1227 # Create example Configuration container
1228 container_name = "test-container1"
1229 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1230 self.delete_force(self.ldb_admin, object_dn)
1231 # Create a custom security descriptor
1232 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1233 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1234 desc_sddl = self.get_desc_sddl(object_dn)
1235 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1236 self.assertEqual("O:DAG:DA", res)
1239 user_name = "testuser6"
1240 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1241 # Open Ldb connection with the tested user
1242 _ldb = self.get_ldb_connection(user_name, "samba123@")
1243 # Create example Configuration container
1244 container_name = "test-container1"
1245 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1246 self.delete_force(self.ldb_admin, object_dn)
1247 # Create a custom security descriptor
1248 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1249 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1250 desc_sddl = self.get_desc_sddl(object_dn)
1251 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1252 self.assertEqual("O:DAG:DA", res)
1255 user_name = "testuser7"
1256 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1257 # Open Ldb connection with the tested user
1258 _ldb = self.get_ldb_connection(user_name, "samba123@")
1259 # Create example Configuration container
1260 container_name = "test-container1"
1261 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1262 self.delete_force(self.ldb_admin, object_dn)
1263 # Create a custom security descriptor
1264 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1265 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1266 desc_sddl = self.get_desc_sddl(object_dn)
1267 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1268 self.assertEqual("O:DAG:DA", res)
1271 user_name = "testuser8"
1272 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1273 # Open Ldb connection with the tested user
1274 _ldb = self.get_ldb_connection(user_name, "samba123@")
1275 # Create example Configuration container
1276 container_name = "test-container1"
1277 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1278 self.delete_force(self.ldb_admin, object_dn)
1279 # Create a custom security descriptor
1280 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1281 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1282 desc_sddl = self.get_desc_sddl(object_dn)
1283 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1284 self.assertEqual("O:DAG:DA", res)
1286 ########################################################################################
1287 # Inharitance tests for DACL
1289 class DaclDescriptorTests(DescriptorTests):
1291 def deleteAll(self):
1292 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1293 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1296 super(DaclDescriptorTests, self).setUp()
1299 def create_clean_ou(self, object_dn):
1300 """ Base repeating setup for unittests to follow """
1301 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1302 expression="distinguishedName=%s" % object_dn)
1303 # Make sure top testing OU has been deleted before starting the test
1304 self.assertEqual(res, [])
1305 self.ldb_admin.create_ou(object_dn)
1306 desc_sddl = self.get_desc_sddl(object_dn)
1307 # Make sure there are inheritable ACEs initially
1308 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1309 # Find and remove all inherit ACEs
1310 res = re.findall("\(.*?\)", desc_sddl)
1311 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1313 desc_sddl = desc_sddl.replace(x, "")
1314 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1315 # can propagate from above
1316 # remove SACL, we are not interested
1317 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1318 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1319 # Verify all inheritable ACEs are gone
1320 desc_sddl = self.get_desc_sddl(object_dn)
1321 self.assertFalse("CI" in desc_sddl)
1322 self.assertFalse("OI" in desc_sddl)
1325 """ OU with protected flag and child group. See if the group has inherit ACEs.
1327 ou_dn = "OU=test_inherit_ou," + self.base_dn
1328 group_dn = "CN=test_inherit_group," + ou_dn
1329 # Create inheritable-free OU
1330 self.create_clean_ou(ou_dn)
1331 # Create group child object
1332 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1333 # Make sure created group object contains NO inherit ACEs
1334 desc_sddl = self.get_desc_sddl(group_dn)
1335 self.assertFalse("ID" in desc_sddl)
1338 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1339 Verify group has custom and default ACEs only.
1341 ou_dn = "OU=test_inherit_ou," + self.base_dn
1342 group_dn = "CN=test_inherit_group," + ou_dn
1343 # Create inheritable-free OU
1344 self.create_clean_ou(ou_dn)
1345 # Create group child object using custom security descriptor
1346 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1347 tmp_desc = security.descriptor.from_sddl(sddl, self.domain_sid)
1348 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1349 # Make sure created group descriptor has NO additional ACEs
1350 desc_sddl = self.get_desc_sddl(group_dn)
1351 self.assertEqual(desc_sddl, sddl)
1352 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1353 self.modify_desc(self.ldb_admin, group_dn, sddl)
1354 desc_sddl = self.get_desc_sddl(group_dn)
1355 self.assertEqual(desc_sddl, sddl)
1358 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1359 See if the group has any of the added ACEs.
1361 ou_dn = "OU=test_inherit_ou," + self.base_dn
1362 group_dn = "CN=test_inherit_group," + ou_dn
1363 # Create inheritable-free OU
1364 self.create_clean_ou(ou_dn)
1365 # Add some custom non-inheritable ACEs
1366 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1367 moded = "(D;;CC;;;LG)"
1368 self.dacl_add_ace(ou_dn, mod)
1369 # Verify all inheritable ACEs are gone
1370 desc_sddl = self.get_desc_sddl(ou_dn)
1371 # Create group child object
1372 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4)
1373 # Make sure created group object contains NO inherit ACEs
1374 # also make sure the added above non-inheritable ACEs are absent too
1375 desc_sddl = self.get_desc_sddl(group_dn)
1376 self.assertFalse("ID" in desc_sddl)
1377 for x in re.findall("\(.*?\)", mod):
1378 self.assertFalse(x in desc_sddl)
1379 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1380 desc_sddl = self.get_desc_sddl(group_dn)
1381 self.assertFalse("ID" in desc_sddl)
1382 for x in re.findall("\(.*?\)", mod):
1383 self.assertFalse(x in desc_sddl)
1386 """ OU with protected flag and add 'CI' ACE, child group.
1387 See if the group has the added inherited ACE.
1389 ou_dn = "OU=test_inherit_ou," + self.base_dn
1390 group_dn = "CN=test_inherit_group," + ou_dn
1391 # Create inheritable-free OU
1392 self.create_clean_ou(ou_dn)
1393 # Add some custom 'CI' ACE
1394 mod = "(D;CI;WP;;;DU)"
1395 moded = "(D;;CC;;;LG)"
1396 self.dacl_add_ace(ou_dn, mod)
1397 desc_sddl = self.get_desc_sddl(ou_dn)
1398 # Create group child object
1399 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1400 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1401 # Make sure created group object contains only the above inherited ACE
1402 # that we've added manually
1403 desc_sddl = self.get_desc_sddl(group_dn)
1404 mod = mod.replace(";CI;", ";CIID;")
1405 self.assertTrue(mod in desc_sddl)
1406 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1407 desc_sddl = self.get_desc_sddl(group_dn)
1408 self.assertTrue(moded in desc_sddl)
1409 self.assertTrue(mod in desc_sddl)
1412 """ OU with protected flag and add 'OI' ACE, child group.
1413 See if the group has the added inherited ACE.
1415 ou_dn = "OU=test_inherit_ou," + self.base_dn
1416 group_dn = "CN=test_inherit_group," + ou_dn
1417 # Create inheritable-free OU
1418 self.create_clean_ou(ou_dn)
1419 # Add some custom 'CI' ACE
1420 mod = "(D;OI;WP;;;DU)"
1421 moded = "(D;;CC;;;LG)"
1422 self.dacl_add_ace(ou_dn, mod)
1423 desc_sddl = self.get_desc_sddl(ou_dn)
1424 # Create group child object
1425 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1426 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1427 # Make sure created group object contains only the above inherited ACE
1428 # that we've added manually
1429 desc_sddl = self.get_desc_sddl(group_dn)
1430 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1431 self.assertTrue(mod in desc_sddl)
1432 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1433 desc_sddl = self.get_desc_sddl(group_dn)
1434 self.assertTrue(moded in desc_sddl)
1435 self.assertTrue(mod in desc_sddl)
1438 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1439 See if the group has the added inherited ACE.
1441 ou_dn = "OU=test_inherit_ou," + self.base_dn
1442 group_dn = "CN=test_inherit_group," + ou_dn
1443 # Create inheritable-free OU
1444 self.create_clean_ou(ou_dn)
1445 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1446 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1447 moded = "(D;;CC;;;LG)"
1448 self.dacl_add_ace(ou_dn, mod)
1449 desc_sddl = self.get_desc_sddl(ou_dn)
1450 # Create group child object
1451 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1452 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1453 # Make sure created group object contains only the above inherited ACE
1454 # that we've added manually
1455 desc_sddl = self.get_desc_sddl(group_dn)
1456 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1457 self.assertTrue(mod in desc_sddl)
1458 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1459 desc_sddl = self.get_desc_sddl(group_dn)
1460 self.assertTrue(moded in desc_sddl)
1461 self.assertTrue(mod in desc_sddl)
1464 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1465 See if the group has the added inherited ACE.
1467 ou_dn = "OU=test_inherit_ou," + self.base_dn
1468 group_dn = "CN=test_inherit_group," + ou_dn
1469 # Create inheritable-free OU
1470 self.create_clean_ou(ou_dn)
1471 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1472 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1473 moded = "(D;;CC;;;LG)"
1474 self.dacl_add_ace(ou_dn, mod)
1475 desc_sddl = self.get_desc_sddl(ou_dn)
1476 # Create group child object
1477 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1478 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1479 # Make sure created group object contains only the above inherited ACE
1480 # that we've added manually
1481 desc_sddl = self.get_desc_sddl(group_dn)
1482 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1483 self.assertTrue(mod in desc_sddl)
1484 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1485 desc_sddl = self.get_desc_sddl(group_dn)
1486 self.assertTrue(moded in desc_sddl)
1487 self.assertTrue(mod in desc_sddl)
1490 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1491 See if the group has the added inherited ACE.
1493 ou_dn = "OU=test_inherit_ou," + self.base_dn
1494 group_dn = "CN=test_inherit_group," + ou_dn
1495 # Create inheritable-free OU
1496 self.create_clean_ou(ou_dn)
1497 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1498 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1499 moded = "(D;;CC;;;LG)"
1500 self.dacl_add_ace(ou_dn, mod)
1501 desc_sddl = self.get_desc_sddl(ou_dn)
1502 # Create group child object
1503 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1504 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1505 # Make sure created group object contains only the above inherited ACE
1506 # that we've added manually
1507 desc_sddl = self.get_desc_sddl(group_dn)
1508 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1509 self.assertTrue(mod in desc_sddl)
1510 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1511 desc_sddl = self.get_desc_sddl(group_dn)
1512 self.assertTrue(moded in desc_sddl)
1513 self.assertTrue(mod in desc_sddl)
1516 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1517 See if the group has the added inherited ACE.
1519 ou_dn = "OU=test_inherit_ou," + self.base_dn
1520 group_dn = "CN=test_inherit_group," + ou_dn
1521 # Create inheritable-free OU
1522 self.create_clean_ou(ou_dn)
1523 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1524 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1525 moded = "(D;;CC;;;LG)"
1526 self.dacl_add_ace(ou_dn, mod)
1527 desc_sddl = self.get_desc_sddl(ou_dn)
1528 # Create group child object
1529 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1530 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1531 # Make sure created group object contains only the above inherited ACE
1532 # that we've added manually
1533 desc_sddl = self.get_desc_sddl(group_dn)
1534 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1535 self.assertTrue(mod in desc_sddl)
1536 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1537 desc_sddl = self.get_desc_sddl(group_dn)
1538 self.assertTrue(moded in desc_sddl)
1539 self.assertTrue(mod in desc_sddl)
1542 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1543 See if the group has the added inherited ACE.
1545 ou_dn = "OU=test_inherit_ou," + self.base_dn
1546 group_dn = "CN=test_inherit_group," + ou_dn
1547 # Create inheritable-free OU
1548 self.create_clean_ou(ou_dn)
1549 # Add some custom 'CI' ACE
1550 mod = "(D;CI;WP;;;CO)"
1551 moded = "(D;;CC;;;LG)"
1552 self.dacl_add_ace(ou_dn, mod)
1553 desc_sddl = self.get_desc_sddl(ou_dn)
1554 # Create group child object
1555 tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
1556 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1557 # Make sure created group object contains only the above inherited ACE(s)
1558 # that we've added manually
1559 desc_sddl = self.get_desc_sddl(group_dn)
1560 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1561 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1562 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1563 desc_sddl = self.get_desc_sddl(group_dn)
1564 self.assertTrue(moded in desc_sddl)
1565 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1566 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1569 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1571 ou_dn = "OU=test_inherit_ou," + self.base_dn
1572 group_dn = "CN=test_inherit_group," + ou_dn
1573 self.create_clean_ou(ou_dn)
1574 # Add some custom ACE
1575 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1576 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1577 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1578 # Make sure created group object does not contain the ID ace
1579 desc_sddl = self.get_desc_sddl(group_dn)
1580 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1583 """ Provide ACE with CO SID, should be expanded and replaced
1585 ou_dn = "OU=test_inherit_ou," + self.base_dn
1586 group_dn = "CN=test_inherit_group," + ou_dn
1587 # Create inheritable-free OU
1588 self.create_clean_ou(ou_dn)
1589 # Add some custom 'CI' ACE
1590 mod = "D:(D;CI;WP;;;CO)"
1591 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1592 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1593 desc_sddl = self.get_desc_sddl(group_dn)
1594 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1597 """ Provide ACE with IO flag, should be ignored
1599 ou_dn = "OU=test_inherit_ou," + self.base_dn
1600 group_dn = "CN=test_inherit_group," + ou_dn
1601 # Create inheritable-free OU
1602 self.create_clean_ou(ou_dn)
1603 # Add some custom 'CI' ACE
1604 mod = "D:(D;CIIO;WP;;;CO)"
1605 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1606 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1607 # Make sure created group object contains only the above inherited ACE(s)
1608 # that we've added manually
1609 desc_sddl = self.get_desc_sddl(group_dn)
1610 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1611 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1612 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1615 """ Provide ACE with IO flag, should be ignored
1617 ou_dn = "OU=test_inherit_ou," + self.base_dn
1618 group_dn = "CN=test_inherit_group," + ou_dn
1619 # Create inheritable-free OU
1620 self.create_clean_ou(ou_dn)
1621 mod = "D:(D;IO;WP;;;DA)"
1622 tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid)
1623 self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
1624 # Make sure created group object contains only the above inherited ACE(s)
1625 # that we've added manually
1626 desc_sddl = self.get_desc_sddl(group_dn)
1627 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1629 ########################################################################################
1632 class SdFlagsDescriptorTests(DescriptorTests):
1633 def deleteAll(self):
1634 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1637 super(SdFlagsDescriptorTests, self).setUp()
1638 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1642 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1643 See that only the owner has been changed.
1645 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1646 self.ldb_admin.create_ou(ou_dn)
1647 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1648 desc_sddl = self.get_desc_sddl(ou_dn)
1649 # make sure we have modified the owner
1650 self.assertTrue("O:AU" in desc_sddl)
1651 # make sure nothing else has been modified
1652 self.assertFalse("G:AU" in desc_sddl)
1653 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1654 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1657 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1658 See that only the owner has been changed.
1660 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1661 self.ldb_admin.create_ou(ou_dn)
1662 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1663 desc_sddl = self.get_desc_sddl(ou_dn)
1664 # make sure we have modified the group
1665 self.assertTrue("G:AU" in desc_sddl)
1666 # make sure nothing else has been modified
1667 self.assertFalse("O:AU" in desc_sddl)
1668 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1669 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1672 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1673 See that only the owner has been changed.
1675 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1676 self.ldb_admin.create_ou(ou_dn)
1677 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1678 desc_sddl = self.get_desc_sddl(ou_dn)
1679 # make sure we have modified the DACL
1680 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1681 # make sure nothing else has been modified
1682 self.assertFalse("O:AU" in desc_sddl)
1683 self.assertFalse("G:AU" in desc_sddl)
1684 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1687 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1688 See that only the owner has been changed.
1690 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1691 self.ldb_admin.create_ou(ou_dn)
1692 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1693 desc_sddl = self.get_desc_sddl(ou_dn)
1694 # make sure we have modified the DACL
1695 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1696 # make sure nothing else has been modified
1697 self.assertFalse("O:AU" in desc_sddl)
1698 self.assertFalse("G:AU" in desc_sddl)
1699 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1702 """ Modify a descriptor with 0x0 set.
1703 Contrary to logic this is interpreted as no control,
1704 which is the same as 0xF
1706 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1707 self.ldb_admin.create_ou(ou_dn)
1708 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1709 desc_sddl = self.get_desc_sddl(ou_dn)
1710 # make sure we have modified the DACL
1711 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1712 # make sure nothing else has been modified
1713 self.assertTrue("O:AU" in desc_sddl)
1714 self.assertTrue("G:AU" in desc_sddl)
1715 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1718 """ Modify a descriptor with 0xF set.
1720 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1721 self.ldb_admin.create_ou(ou_dn)
1722 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1723 desc_sddl = self.get_desc_sddl(ou_dn)
1724 # make sure we have modified the DACL
1725 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1726 # make sure nothing else has been modified
1727 self.assertTrue("O:AU" in desc_sddl)
1728 self.assertTrue("G:AU" in desc_sddl)
1729 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1732 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1733 Only the owner part should be returned.
1735 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1736 self.ldb_admin.create_ou(ou_dn)
1737 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1738 # make sure we have read the owner
1739 self.assertTrue("O:" in desc_sddl)
1740 # make sure we have read nothing else
1741 self.assertFalse("G:" in desc_sddl)
1742 self.assertFalse("D:" in desc_sddl)
1743 self.assertFalse("S:" in desc_sddl)
1746 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1747 Only the group part should be returned.
1749 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1750 self.ldb_admin.create_ou(ou_dn)
1751 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1752 # make sure we have read the owner
1753 self.assertTrue("G:" in desc_sddl)
1754 # make sure we have read nothing else
1755 self.assertFalse("O:" in desc_sddl)
1756 self.assertFalse("D:" in desc_sddl)
1757 self.assertFalse("S:" in desc_sddl)
1760 """ Read a descriptor with SACL_SECURITY_INFORMATION
1761 Only the sacl part should be returned.
1763 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1764 self.ldb_admin.create_ou(ou_dn)
1765 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1766 # make sure we have read the owner
1767 self.assertTrue("S:" in desc_sddl)
1768 # make sure we have read nothing else
1769 self.assertFalse("O:" in desc_sddl)
1770 self.assertFalse("D:" in desc_sddl)
1771 self.assertFalse("G:" in desc_sddl)
1774 """ Read a descriptor with DACL_SECURITY_INFORMATION
1775 Only the dacl part should be returned.
1777 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1778 self.ldb_admin.create_ou(ou_dn)
1779 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1780 # make sure we have read the owner
1781 self.assertTrue("D:" in desc_sddl)
1782 # make sure we have read nothing else
1783 self.assertFalse("O:" in desc_sddl)
1784 self.assertFalse("S:" in desc_sddl)
1785 self.assertFalse("G:" in desc_sddl)
1788 class RightsAttributesTests(DescriptorTests):
1790 def deleteAll(self):
1791 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1792 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1793 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1796 super(RightsAttributesTests, self).setUp()
1800 self.ldb_admin.newuser("testuser_attr", "samba123@")
1801 # User 2, Domain Admins
1802 self.ldb_admin.newuser("testuser_attr2", "samba123@")
1803 self.ldb_admin.add_remove_group_members("Domain Admins",
1805 add_members_operation=True)
1807 def test_sDRightsEffective(self):
1808 object_dn = "OU=test_domain_ou1," + self.base_dn
1809 self.delete_force(self.ldb_admin, object_dn)
1810 self.ldb_admin.create_ou(object_dn)
1811 print self.get_users_domain_dn("testuser_attr")
1812 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1813 #give testuser1 read access so attributes can be retrieved
1814 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1815 self.dacl_add_ace(object_dn, mod)
1816 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1817 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1818 attrs=["sDRightsEffective"])
1819 #user whould have no rights at all
1820 self.assertEquals(len(res), 1)
1821 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1822 #give the user Write DACL and see what happens
1823 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1824 self.dacl_add_ace(object_dn, mod)
1825 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1826 attrs=["sDRightsEffective"])
1827 #user whould have DACL_SECURITY_INFORMATION
1828 self.assertEquals(len(res), 1)
1829 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1830 #give the user Write Owners and see what happens
1831 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1832 self.dacl_add_ace(object_dn, mod)
1833 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1834 attrs=["sDRightsEffective"])
1835 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1836 self.assertEquals(len(res), 1)
1837 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1838 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1839 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1840 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1841 attrs=["sDRightsEffective"])
1842 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1843 self.assertEquals(len(res), 1)
1844 self.assertEquals(res[0]["sDRightsEffective"][0], \
1845 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1847 def test_allowedChildClassesEffective(self):
1848 object_dn = "OU=test_domain_ou1," + self.base_dn
1849 self.delete_force(self.ldb_admin, object_dn)
1850 self.ldb_admin.create_ou(object_dn)
1851 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1852 #give testuser1 read access so attributes can be retrieved
1853 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1854 self.dacl_add_ace(object_dn, mod)
1855 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1856 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1857 attrs=["allowedChildClassesEffective"])
1858 #there should be no allowed child classes
1859 self.assertEquals(len(res), 1)
1860 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1861 #give the user the right to create children of type user
1862 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1863 self.dacl_add_ace(object_dn, mod)
1864 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1865 attrs=["allowedChildClassesEffective"])
1866 # allowedChildClassesEffective should only have one value, user
1867 self.assertEquals(len(res), 1)
1868 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1869 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1871 def test_allowedAttributesEffective(self):
1872 object_dn = "OU=test_domain_ou1," + self.base_dn
1873 self.delete_force(self.ldb_admin, object_dn)
1874 self.ldb_admin.create_ou(object_dn)
1875 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1876 #give testuser1 read access so attributes can be retrieved
1877 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1878 self.dacl_add_ace(object_dn, mod)
1879 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1880 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1881 attrs=["allowedAttributesEffective"])
1882 #there should be no allowed attributes
1883 self.assertEquals(len(res), 1)
1884 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1885 #give the user the right to write displayName and managedBy
1886 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1887 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1888 # also rights to modify an read only attribute, fromEntry
1889 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1890 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1891 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1892 attrs=["allowedAttributesEffective"])
1893 # value should only contain user and managedBy
1894 self.assertEquals(len(res), 1)
1895 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1896 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1897 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1899 if not "://" in host:
1900 if os.path.isfile(host):
1901 host = "tdb://%s" % host
1903 host = "ldap://%s" % host
1905 # use 'paged_search' module when connecting remotely
1906 if host.lower().startswith("ldap://"):
1907 ldb_options = ["modules:paged_searches"]
1911 session_info=system_session(),
1913 options=ldb_options)
1915 runner = SubunitTestRunner()
1917 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1919 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1921 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1923 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():