2 # -*- coding: utf-8 -*-
11 sys.path.append("bin/python")
13 samba.ensure_external_module("testtools", "testtools")
14 samba.ensure_external_module("subunit", "subunit/python")
16 import samba.getopt as options
18 # Some error messages that are being tested
19 from ldb import SCOPE_SUBTREE, SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT
21 # For running the test unit
22 from samba.ndr import ndr_pack, ndr_unpack
23 from samba.dcerpc import security
25 from samba import gensec
26 from samba.samdb import SamDB
27 from samba.credentials import Credentials
28 from samba.auth import system_session
29 from samba.dsdb import DS_DOMAIN_FUNCTION_2008
30 from samba.dcerpc.security import (
31 SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL)
32 from subunit.run import SubunitTestRunner
36 parser = optparse.OptionParser("sec_descriptor.py [options] <host>")
37 sambaopts = options.SambaOptions(parser)
38 parser.add_option_group(sambaopts)
39 parser.add_option_group(options.VersionOptions(parser))
41 # use command line creds if available
42 credopts = options.CredentialsOptions(parser)
43 parser.add_option_group(credopts)
44 opts, args = parser.parse_args()
52 lp = sambaopts.get_loadparm()
53 creds = credopts.get_credentials(lp)
54 creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
60 class DescriptorTests(samba.tests.DsdbTestCase):
62 def get_users_domain_dn(self, name):
63 return "CN=%s,CN=Users,%s" % (name, self.base_dn)
65 def modify_desc(self, _ldb, object_dn, desc, controls=None):
66 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
68 dn: """ + object_dn + """
70 replace: nTSecurityDescriptor
72 if isinstance(desc, str):
73 mod += "nTSecurityDescriptor: %s" % desc
74 elif isinstance(desc, security.descriptor):
75 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
76 _ldb.modify_ldif(mod, controls)
78 def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
81 ou: """ + ou_dn.split(",")[0][3:] + """
82 objectClass: organizationalUnit
86 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
87 if isinstance(desc, str):
88 ldif += "nTSecurityDescriptor: %s" % desc
89 elif isinstance(desc, security.descriptor):
90 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
91 _ldb.add_ldif(ldif, controls)
93 def create_domain_user(self, _ldb, user_dn, desc=None):
95 dn: """ + user_dn + """
96 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
98 userPassword: samba123@
102 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
103 if isinstance(desc, str):
104 ldif += "nTSecurityDescriptor: %s" % desc
105 elif isinstance(desc, security.descriptor):
106 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
109 def create_domain_group(self, _ldb, group_dn, desc=None):
111 dn: """ + group_dn + """
113 sAMAccountName: """ + group_dn.split(",")[0][3:] + """
118 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
119 if isinstance(desc, str):
120 ldif += "nTSecurityDescriptor: %s" % desc
121 elif isinstance(desc, security.descriptor):
122 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
125 def get_unique_schema_class_name(self):
127 class_name = "test-class%s" % random.randint(1,100000)
128 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
130 self.ldb_admin.search(base=class_dn, attrs=["*"])
131 except LdbError, (num, _):
132 self.assertEquals(num, ERR_NO_SUCH_OBJECT)
135 def create_schema_class(self, _ldb, object_dn, desc=None):
137 dn: """ + object_dn + """
138 objectClass: classSchema
139 objectCategory: CN=Class-Schema,""" + self.schema_dn + """
140 defaultObjectCategory: """ + object_dn + """
141 distinguishedName: """ + object_dn + """
142 governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
144 objectClassCategory: 1
145 subClassOf: organizationalPerson
148 systemMustContain: cn
152 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
153 if isinstance(desc, str):
154 ldif += "nTSecurityDescriptor: %s" % desc
155 elif isinstance(desc, security.descriptor):
156 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
159 def create_configuration_container(self, _ldb, object_dn, desc=None):
161 dn: """ + object_dn + """
162 objectClass: container
163 objectCategory: CN=Container,""" + self.schema_dn + """
164 showInAdvancedViewOnly: TRUE
168 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
169 if isinstance(desc, str):
170 ldif += "nTSecurityDescriptor: %s" % desc
171 elif isinstance(desc, security.descriptor):
172 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
175 def create_configuration_specifier(self, _ldb, object_dn, desc=None):
177 dn: """ + object_dn + """
178 objectClass: displaySpecifier
179 showInAdvancedViewOnly: TRUE
182 assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
183 if isinstance(desc, str):
184 ldif += "nTSecurityDescriptor: %s" % desc
185 elif isinstance(desc, security.descriptor):
186 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
189 def read_desc(self, object_dn, controls=None):
190 res = self.ldb_admin.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"], controls=controls)
191 desc = res[0]["nTSecurityDescriptor"][0]
192 return ndr_unpack(security.descriptor, desc)
194 def create_active_user(self, _ldb, user_dn):
196 dn: """ + user_dn + """
197 sAMAccountName: """ + user_dn.split(",")[0][3:] + """
199 unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
204 def get_ldb_connection(self, target_username, target_password):
205 creds_tmp = Credentials()
206 creds_tmp.set_username(target_username)
207 creds_tmp.set_password(target_password)
208 creds_tmp.set_domain(creds.get_domain())
209 creds_tmp.set_realm(creds.get_realm())
210 creds_tmp.set_workstation(creds.get_workstation())
211 creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
212 | gensec.FEATURE_SEAL)
213 ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp)
216 def get_object_sid(self, object_dn):
217 res = self.ldb_admin.search(object_dn)
218 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] )
220 def dacl_add_ace(self, object_dn, ace):
221 desc = self.read_desc( object_dn )
222 desc_sddl = desc.as_sddl( self.domain_sid )
225 if desc_sddl.find("(") >= 0:
226 desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):]
228 desc_sddl = desc_sddl + ace
229 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
231 def get_desc_sddl(self, object_dn, controls=None):
232 """ Return object nTSecutiryDescriptor in SDDL format
234 desc = self.read_desc(object_dn, controls)
235 return desc.as_sddl(self.domain_sid)
237 def create_enable_user(self, username):
238 user_dn = self.get_users_domain_dn(username)
239 self.create_active_user(self.ldb_admin, user_dn)
240 self.ldb_admin.enable_account("(sAMAccountName=" + username + ")")
243 super(DescriptorTests, self).setUp()
245 self.base_dn = ldb.domain_dn()
246 self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
247 self.schema_dn = self.ldb_admin.get_schema_basedn().get_linearized()
248 self.domain_sid = self.find_domain_sid(self.ldb_admin)
249 print "baseDN: %s" % self.base_dn
251 ################################################################################################
255 # Default descriptor tests #####################################################################
257 class OwnerGroupDescriptorTests(DescriptorTests):
260 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1"))
261 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2"))
262 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3"))
263 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4"))
264 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5"))
265 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6"))
266 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7"))
267 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8"))
269 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1"))
270 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn)
271 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn)
272 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
275 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \
276 + self.configuration_dn)
277 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn)
280 super(OwnerGroupDescriptorTests, self).setUp()
283 # User 1 - Enterprise Admins
284 self.create_enable_user("testuser1")
285 # User 2 - Domain Admins
286 self.create_enable_user("testuser2")
287 # User 3 - Schema Admins
288 self.create_enable_user("testuser3")
289 # User 4 - regular user
290 self.create_enable_user("testuser4")
291 # User 5 - Enterprise Admins and Domain Admins
292 self.create_enable_user("testuser5")
293 # User 6 - Enterprise Admins, Domain Admins, Schema Admins
294 self.create_enable_user("testuser6")
295 # User 7 - Domain Admins and Schema Admins
296 self.create_enable_user("testuser7")
297 # User 5 - Enterprise Admins and Schema Admins
298 self.create_enable_user("testuser8")
300 self.ldb_admin.add_remove_group_members("Enterprise Admins",
301 "testuser1,testuser5,testuser6,testuser8",
302 add_members_operation=True)
303 self.ldb_admin.add_remove_group_members("Domain Admins",
304 "testuser2,testuser5,testuser6,testuser7",
305 add_members_operation=True)
306 self.ldb_admin.add_remove_group_members("Schema Admins",
307 "testuser3,testuser6,testuser7,testuser8",
308 add_members_operation=True)
311 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008
312 "ds_behavior_win2003" : {
362 # msDS-Behavior-Version >= DS_DOMAIN_FUNCTION_2008
363 "ds_behavior_win2008" : {
414 # Discover 'msDS-Behavior-Version'
415 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \
416 attrs=['msDS-Behavior-Version'])
417 res = int(res[0]['msDS-Behavior-Version'][0])
418 if res < DS_DOMAIN_FUNCTION_2008:
419 self.DS_BEHAVIOR = "ds_behavior_win2003"
421 self.DS_BEHAVIOR = "ds_behavior_win2008"
424 super(DescriptorTests, self).tearDown()
427 def check_user_belongs(self, user_dn, groups=[]):
428 """ Test wether user is member of the expected group(s) """
430 # User is member of at least one additional group
431 res = self.ldb_admin.search(user_dn, attrs=["memberOf"])
432 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))]
435 expected.append(self.get_users_domain_dn(x))
436 expected = [x.upper() for x in sorted(expected)]
437 self.assertEqual(expected, res)
439 # User is not a member of any additional groups but default
440 res = self.ldb_admin.search(user_dn, attrs=["*"])
441 res = [x.upper() for x in res[0].keys()]
442 self.assertFalse( "MEMBEROF" in res)
444 def check_modify_inheritance(self, _ldb, object_dn, owner_group=""):
446 ace = "(D;;CC;;;LG)" # Deny Create Children to Guest account
447 if owner_group != "":
448 self.modify_desc(_ldb, object_dn, owner_group + "D:" + ace)
450 self.modify_desc(_ldb, object_dn, "D:" + ace)
451 # Make sure the modify operation has been applied
452 desc_sddl = self.get_desc_sddl(object_dn)
453 self.assertTrue(ace in desc_sddl)
454 # Make sure we have identical result for both "add" and "modify"
455 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
456 print self._testMethodName
457 test_number = self._testMethodName[5:]
458 self.assertEqual(self.results[self.DS_BEHAVIOR][test_number], res)
461 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN
463 user_name = "testuser1"
464 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
465 # Open Ldb connection with the tested user
466 _ldb = self.get_ldb_connection(user_name, "samba123@")
467 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
468 self.delete_force(self.ldb_admin, object_dn)
469 self.create_domain_group(_ldb, object_dn)
470 desc_sddl = self.get_desc_sddl(object_dn)
471 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
472 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
473 self.check_modify_inheritance(_ldb, object_dn)
476 """ Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
478 user_name = "testuser2"
479 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
480 # Open Ldb connection with the tested user
481 _ldb = self.get_ldb_connection(user_name, "samba123@")
482 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
483 self.delete_force(self.ldb_admin, object_dn)
484 self.create_domain_group(_ldb, object_dn)
485 desc_sddl = self.get_desc_sddl(object_dn)
486 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
487 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
488 self.check_modify_inheritance(_ldb, object_dn)
491 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN
493 user_name = "testuser3"
494 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
495 # Open Ldb connection with the tested user
496 _ldb = self.get_ldb_connection(user_name, "samba123@")
497 object_dn = "OU=test_domain_ou1," + self.base_dn
498 self.delete_force(self.ldb_admin, object_dn)
499 self.create_domain_ou(self.ldb_admin, object_dn)
500 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
501 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
502 self.dacl_add_ace(object_dn, mod)
503 # Create additional object into the first one
504 object_dn = "CN=test_domain_user1," + object_dn
505 self.delete_force(self.ldb_admin, object_dn)
506 self.create_domain_user(_ldb, object_dn)
507 desc_sddl = self.get_desc_sddl(object_dn)
508 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
509 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
510 # This fails, research why
511 #self.check_modify_inheritance(_ldb, object_dn)
514 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN
516 user_name = "testuser4"
517 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
518 # Open Ldb connection with the tested user
519 _ldb = self.get_ldb_connection(user_name, "samba123@")
520 object_dn = "OU=test_domain_ou1," + self.base_dn
521 self.delete_force(self.ldb_admin, object_dn)
522 self.create_domain_ou(self.ldb_admin, object_dn)
523 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
524 mod = "(A;CI;WPWDCC;;;%s)" % str(user_sid)
525 self.dacl_add_ace(object_dn, mod)
526 # Create additional object into the first one
527 object_dn = "CN=test_domain_user1," + object_dn
528 self.delete_force(self.ldb_admin, object_dn)
529 self.create_domain_user(_ldb, object_dn)
530 desc_sddl = self.get_desc_sddl(object_dn)
531 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
532 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
533 #this fails, research why
534 #self.check_modify_inheritance(_ldb, object_dn)
537 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN
539 user_name = "testuser5"
540 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
541 # Open Ldb connection with the tested user
542 _ldb = self.get_ldb_connection(user_name, "samba123@")
543 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
544 self.delete_force(self.ldb_admin, object_dn)
545 self.create_domain_group(_ldb, object_dn)
546 desc_sddl = self.get_desc_sddl(object_dn)
547 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
548 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
549 self.check_modify_inheritance(_ldb, object_dn)
552 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
554 user_name = "testuser6"
555 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
556 # Open Ldb connection with the tested user
557 _ldb = self.get_ldb_connection(user_name, "samba123@")
558 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
559 self.delete_force(self.ldb_admin, object_dn)
560 self.create_domain_group(_ldb, object_dn)
561 desc_sddl = self.get_desc_sddl(object_dn)
562 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
563 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
564 self.check_modify_inheritance(_ldb, object_dn)
567 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
569 user_name = "testuser7"
570 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
571 # Open Ldb connection with the tested user
572 _ldb = self.get_ldb_connection(user_name, "samba123@")
573 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
574 self.delete_force(self.ldb_admin, object_dn)
575 self.create_domain_group(_ldb, object_dn)
576 desc_sddl = self.get_desc_sddl(object_dn)
577 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
578 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
579 self.check_modify_inheritance(_ldb, object_dn)
582 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN
584 user_name = "testuser8"
585 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
586 # Open Ldb connection with the tested user
587 _ldb = self.get_ldb_connection(user_name, "samba123@")
588 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
589 self.delete_force(self.ldb_admin, object_dn)
590 self.create_domain_group(_ldb, object_dn)
591 desc_sddl = self.get_desc_sddl(object_dn)
592 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
593 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
594 self.check_modify_inheritance(_ldb, object_dn)
596 # Control descriptor tests #####################################################################
599 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN
601 user_name = "testuser1"
602 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
603 # Open Ldb connection with the tested user
604 _ldb = self.get_ldb_connection(user_name, "samba123@")
605 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
606 self.delete_force(self.ldb_admin, object_dn)
607 # Create a custom security descriptor
608 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
609 self.create_domain_group(_ldb, object_dn, desc_sddl)
610 desc_sddl = self.get_desc_sddl(object_dn)
611 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
612 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
615 """ Domain admin group member creates object (custom descriptor) in DOMAIN
617 user_name = "testuser2"
618 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
619 # Open Ldb connection with the tested user
620 _ldb = self.get_ldb_connection(user_name, "samba123@")
621 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
622 self.delete_force(self.ldb_admin, object_dn)
623 # Create a custom security descriptor
624 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
625 self.create_domain_group(_ldb, object_dn, desc_sddl)
626 desc_sddl = self.get_desc_sddl(object_dn)
627 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
628 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
631 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN
633 user_name = "testuser3"
634 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
635 # Open Ldb connection with the tested user
636 _ldb = self.get_ldb_connection(user_name, "samba123@")
637 object_dn = "OU=test_domain_ou1," + self.base_dn
638 self.delete_force(self.ldb_admin, object_dn)
639 self.create_domain_ou(self.ldb_admin, object_dn)
640 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
641 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
642 self.dacl_add_ace(object_dn, mod)
643 # Create a custom security descriptor
644 # NB! Problematic owner part won't accept DA only <User Sid> !!!
645 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
646 # Create additional object into the first one
647 object_dn = "CN=test_domain_user1," + object_dn
648 self.delete_force(self.ldb_admin, object_dn)
649 self.create_domain_user(_ldb, object_dn, desc_sddl)
650 desc = self.read_desc(object_dn)
651 desc_sddl = self.get_desc_sddl(object_dn)
652 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
653 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
656 """ Regular user with CC right creates object (custom descriptor) in DOMAIN
658 user_name = "testuser4"
659 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
660 # Open Ldb connection with the tested user
661 _ldb = self.get_ldb_connection(user_name, "samba123@")
662 object_dn = "OU=test_domain_ou1," + self.base_dn
663 self.delete_force(self.ldb_admin, object_dn)
664 self.create_domain_ou(self.ldb_admin, object_dn)
665 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
666 mod = "(A;CI;WOWDCC;;;%s)" % str(user_sid)
667 self.dacl_add_ace(object_dn, mod)
668 # Create a custom security descriptor
669 # NB! Problematic owner part won't accept DA only <User Sid> !!!
670 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
671 # Create additional object into the first one
672 object_dn = "CN=test_domain_user1," + object_dn
673 self.delete_force(self.ldb_admin, object_dn)
674 self.create_domain_user(_ldb, object_dn, desc_sddl)
675 desc = self.read_desc(object_dn)
676 desc_sddl = self.get_desc_sddl(object_dn)
677 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
678 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
681 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN
683 user_name = "testuser5"
684 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
685 # Open Ldb connection with the tested user
686 _ldb = self.get_ldb_connection(user_name, "samba123@")
687 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
688 self.delete_force(self.ldb_admin, object_dn)
689 # Create a custom security descriptor
690 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
691 self.create_domain_group(_ldb, object_dn, desc_sddl)
692 desc_sddl = self.get_desc_sddl(object_dn)
693 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
694 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
697 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
699 user_name = "testuser6"
700 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
701 # Open Ldb connection with the tested user
702 _ldb = self.get_ldb_connection(user_name, "samba123@")
703 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
704 self.delete_force(self.ldb_admin, object_dn)
705 # Create a custom security descriptor
706 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
707 self.create_domain_group(_ldb, object_dn, desc_sddl)
708 desc_sddl = self.get_desc_sddl(object_dn)
709 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
710 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
713 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN
715 user_name = "testuser7"
716 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
717 # Open Ldb connection with the tested user
718 _ldb = self.get_ldb_connection(user_name, "samba123@")
719 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
720 self.delete_force(self.ldb_admin, object_dn)
721 # Create a custom security descriptor
722 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
723 self.create_domain_group(_ldb, object_dn, desc_sddl)
724 desc_sddl = self.get_desc_sddl(object_dn)
725 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
726 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
729 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN
731 user_name = "testuser8"
732 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
733 # Open Ldb connection with the tested user
734 _ldb = self.get_ldb_connection(user_name, "samba123@")
735 object_dn = "CN=test_domain_group1,CN=Users," + self.base_dn
736 self.delete_force(self.ldb_admin, object_dn)
737 # Create a custom security descriptor
738 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
739 self.create_domain_group(_ldb, object_dn, desc_sddl)
740 desc_sddl = self.get_desc_sddl(object_dn)
741 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
742 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
745 user_name = "Administrator"
746 object_dn = "OU=test_domain_ou1," + self.base_dn
747 self.delete_force(self.ldb_admin, object_dn)
748 self.create_domain_ou(self.ldb_admin, object_dn)
749 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
750 mod = "(D;CI;WP;;;S-1-3-0)"
752 self.dacl_add_ace(object_dn, mod)
753 desc_sddl = self.get_desc_sddl(object_dn)
754 # Create additional object into the first one
755 object_dn = "OU=test_domain_ou2," + object_dn
756 self.delete_force(self.ldb_admin, object_dn)
757 self.create_domain_ou(self.ldb_admin, object_dn)
758 desc_sddl = self.get_desc_sddl(object_dn)
762 # Defalt descriptor tests ##################################################################
765 user_name = "testuser1"
766 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
767 # Open Ldb connection with the tested user
768 _ldb = self.get_ldb_connection(user_name, "samba123@")
769 # Change Schema partition descriptor
770 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
771 mod = "(A;;WDCC;;;AU)"
772 self.dacl_add_ace(self.schema_dn, mod)
773 # Create example Schema class
774 class_name = self.get_unique_schema_class_name()
775 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
776 self.create_schema_class(_ldb, class_dn)
777 desc_sddl = self.get_desc_sddl(class_dn)
778 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
779 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
780 self.check_modify_inheritance(_ldb, class_dn)
783 user_name = "testuser2"
784 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
785 # Open Ldb connection with the tested user
786 _ldb = self.get_ldb_connection(user_name, "samba123@")
787 # Change Schema partition descriptor
788 mod = "(A;CI;WDCC;;;AU)"
789 self.dacl_add_ace(self.schema_dn, mod)
790 # Create example Schema class
791 class_name = self.get_unique_schema_class_name()
792 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
793 self.create_schema_class(_ldb, class_dn)
794 desc_sddl = self.get_desc_sddl(class_dn)
795 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
796 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
797 self.check_modify_inheritance(_ldb, class_dn)
800 user_name = "testuser3"
801 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
802 # Open Ldb connection with the tested user
803 _ldb = self.get_ldb_connection(user_name, "samba123@")
804 # Change Schema partition descriptor
805 mod = "(A;CI;WDCC;;;AU)"
806 self.dacl_add_ace(self.schema_dn, mod)
807 # Create example Schema class
808 class_name = self.get_unique_schema_class_name()
809 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
810 self.create_schema_class(_ldb, class_dn)
811 desc_sddl = self.get_desc_sddl(class_dn)
812 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
813 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
814 #self.check_modify_inheritance(_ldb, class_dn)
817 user_name = "testuser4"
818 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
819 # Open Ldb connection with the tested user
820 _ldb = self.get_ldb_connection(user_name, "samba123@")
821 #Change Schema partition descriptor
822 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
823 mod = "(A;CI;WDCC;;;AU)"
824 self.dacl_add_ace(self.schema_dn, mod)
825 # Create example Schema class
826 class_name = self.get_unique_schema_class_name()
827 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
828 self.create_schema_class(_ldb, class_dn)
829 desc_sddl = self.get_desc_sddl(class_dn)
830 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
831 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
832 #self.check_modify_inheritance(_ldb, class_dn)
835 user_name = "testuser5"
836 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
837 # Open Ldb connection with the tested user
838 _ldb = self.get_ldb_connection(user_name, "samba123@")
839 #Change Schema partition descriptor
840 mod = "(A;CI;WDCC;;;AU)"
841 self.dacl_add_ace(self.schema_dn, mod)
842 # Create example Schema class
843 class_name = self.get_unique_schema_class_name()
844 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
845 self.create_schema_class(_ldb, class_dn)
846 desc_sddl = self.get_desc_sddl(class_dn)
847 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
848 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
849 self.check_modify_inheritance(_ldb, class_dn)
852 user_name = "testuser6"
853 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
854 # Open Ldb connection with the tested user
855 _ldb = self.get_ldb_connection(user_name, "samba123@")
856 # Change Schema partition descriptor
857 mod = "(A;CI;WDCC;;;AU)"
858 self.dacl_add_ace(self.schema_dn, mod)
859 # Create example Schema class
860 class_name = self.get_unique_schema_class_name()
861 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
862 self.create_schema_class(_ldb, class_dn)
863 desc_sddl = self.get_desc_sddl(class_dn)
864 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
865 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
866 self.check_modify_inheritance(_ldb, class_dn)
869 user_name = "testuser7"
870 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
871 # Open Ldb connection with the tested user
872 _ldb = self.get_ldb_connection(user_name, "samba123@")
873 # Change Schema partition descriptor
874 mod = "(A;CI;WDCC;;;AU)"
875 self.dacl_add_ace(self.schema_dn, mod)
876 # Create example Schema class
877 class_name = self.get_unique_schema_class_name()
878 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
879 self.create_schema_class(_ldb, class_dn)
880 desc_sddl = self.get_desc_sddl(class_dn)
881 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
882 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
883 self.check_modify_inheritance(_ldb, class_dn)
886 user_name = "testuser8"
887 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
888 # Open Ldb connection with the tested user
889 _ldb = self.get_ldb_connection(user_name, "samba123@")
890 # Change Schema partition descriptor
891 mod = "(A;CI;WDCC;;;AU)"
892 self.dacl_add_ace(self.schema_dn, mod)
893 # Create example Schema class
894 class_name = self.get_unique_schema_class_name()
895 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
896 self.create_schema_class(_ldb, class_dn)
897 desc_sddl = self.get_desc_sddl(class_dn)
898 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
899 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
900 self.check_modify_inheritance(_ldb, class_dn)
902 # Custom descriptor tests ##################################################################
905 user_name = "testuser1"
906 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
907 # Open Ldb connection with the tested user
908 _ldb = self.get_ldb_connection(user_name, "samba123@")
909 # Change Schema partition descriptor
911 self.dacl_add_ace(self.schema_dn, mod)
912 # Create a custom security descriptor
913 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
914 # Create example Schema class
915 class_name = self.get_unique_schema_class_name()
916 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
917 self.create_schema_class(_ldb, class_dn, desc_sddl)
918 desc_sddl = self.get_desc_sddl(class_dn)
919 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
920 self.assertEqual("O:DAG:DA", res)
923 user_name = "testuser2"
924 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
925 # Open Ldb connection with the tested user
926 _ldb = self.get_ldb_connection(user_name, "samba123@")
927 # Change Schema partition descriptor
929 self.dacl_add_ace(self.schema_dn, mod)
930 # Create a custom security descriptor
931 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
932 # Create example Schema class
933 class_name = self.get_unique_schema_class_name()
934 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
935 self.create_schema_class(_ldb, class_dn, desc_sddl)
936 desc_sddl = self.get_desc_sddl(class_dn)
937 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
938 self.assertEqual("O:DAG:DA", res)
941 user_name = "testuser3"
942 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
943 # Open Ldb connection with the tested user
944 _ldb = self.get_ldb_connection(user_name, "samba123@")
945 # Create a custom security descriptor
946 # NB! Problematic owner part won't accept DA only <User Sid> !!!
947 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
948 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
949 # Create example Schema class
950 class_name = self.get_unique_schema_class_name()
951 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
952 self.create_schema_class(_ldb, class_dn, desc_sddl)
953 desc_sddl = self.get_desc_sddl(class_dn)
954 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
955 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
958 user_name = "testuser4"
959 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
960 # Open Ldb connection with the tested user
961 _ldb = self.get_ldb_connection(user_name, "samba123@")
962 # Create a custom security descriptor
963 # NB! Problematic owner part won't accept DA only <User Sid> !!!
964 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
965 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
966 # Create example Schema class
967 class_name = self.get_unique_schema_class_name()
968 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
969 self.create_schema_class(_ldb, class_dn, desc_sddl)
970 desc_sddl = self.get_desc_sddl(class_dn)
971 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
972 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
975 user_name = "testuser5"
976 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
977 # Open Ldb connection with the tested user
978 _ldb = self.get_ldb_connection(user_name, "samba123@")
979 # Change Schema partition descriptor
981 self.dacl_add_ace(self.schema_dn, mod)
982 # Create a custom security descriptor
983 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
984 # Create example Schema class
985 class_name = self.get_unique_schema_class_name()
986 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
987 self.create_schema_class(_ldb, class_dn, desc_sddl)
988 desc_sddl = self.get_desc_sddl(class_dn)
989 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
990 self.assertEqual("O:DAG:DA", res)
993 user_name = "testuser6"
994 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
995 # Open Ldb connection with the tested user
996 _ldb = self.get_ldb_connection(user_name, "samba123@")
997 # Change Schema partition descriptor
999 self.dacl_add_ace(self.schema_dn, mod)
1000 # Create a custom security descriptor
1001 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1002 # Create example Schema class
1003 class_name = self.get_unique_schema_class_name()
1004 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1005 self.create_schema_class(_ldb, class_dn, desc_sddl)
1006 desc_sddl = self.get_desc_sddl(class_dn)
1007 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1008 self.assertEqual("O:DAG:DA", res)
1011 user_name = "testuser7"
1012 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1013 # Open Ldb connection with the tested user
1014 _ldb = self.get_ldb_connection(user_name, "samba123@")
1015 # Change Schema partition descriptor
1016 mod = "(A;;CC;;;AU)"
1017 self.dacl_add_ace(self.schema_dn, mod)
1018 # Create a custom security descriptor
1019 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1020 # Create example Schema class
1021 class_name = self.get_unique_schema_class_name()
1022 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1023 self.create_schema_class(_ldb, class_dn, desc_sddl)
1024 desc_sddl = self.get_desc_sddl(class_dn)
1025 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1026 self.assertEqual("O:DAG:DA", res)
1029 user_name = "testuser8"
1030 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1031 # Open Ldb connection with the tested user
1032 _ldb = self.get_ldb_connection(user_name, "samba123@")
1033 # Change Schema partition descriptor
1034 mod = "(A;;CC;;;AU)"
1035 self.dacl_add_ace(self.schema_dn, mod)
1036 # Create a custom security descriptor
1037 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1038 # Create example Schema class
1039 class_name = self.get_unique_schema_class_name()
1040 class_dn = "CN=%s,%s" % (class_name, self.schema_dn)
1041 self.create_schema_class(_ldb, class_dn, desc_sddl)
1042 desc_sddl = self.get_desc_sddl(class_dn)
1043 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1044 self.assertEqual("O:DAG:DA", res)
1046 ## Tests for CONFIGURATION
1048 # Defalt descriptor tests ##################################################################
1051 user_name = "testuser1"
1052 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1053 # Open Ldb connection with the tested user
1054 _ldb = self.get_ldb_connection(user_name, "samba123@")
1055 # Create example Configuration container
1056 container_name = "test-container1"
1057 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1058 self.delete_force(self.ldb_admin, object_dn)
1059 self.create_configuration_container(_ldb, object_dn, )
1060 desc_sddl = self.get_desc_sddl(object_dn)
1061 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1062 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1063 self.check_modify_inheritance(_ldb, object_dn)
1066 user_name = "testuser2"
1067 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1068 # Open Ldb connection with the tested user
1069 _ldb = self.get_ldb_connection(user_name, "samba123@")
1070 # Create example Configuration container
1071 container_name = "test-container1"
1072 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1073 self.delete_force(self.ldb_admin, object_dn)
1074 self.create_configuration_container(_ldb, object_dn, )
1075 desc_sddl = self.get_desc_sddl(object_dn)
1076 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1077 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1078 self.check_modify_inheritance(_ldb, object_dn)
1081 user_name = "testuser3"
1082 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1083 # Open Ldb connection with the tested user
1084 _ldb = self.get_ldb_connection(user_name, "samba123@")
1085 # Create example Configuration container
1086 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1087 self.delete_force(self.ldb_admin, object_dn)
1088 self.create_configuration_container(self.ldb_admin, object_dn, )
1089 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1090 mod = "(A;;WDCC;;;AU)"
1091 self.dacl_add_ace(object_dn, mod)
1092 # Create child object with user's credentials
1093 object_dn = "CN=test-specifier1," + object_dn
1094 self.delete_force(self.ldb_admin, object_dn)
1095 self.create_configuration_specifier(_ldb, object_dn)
1096 desc_sddl = self.get_desc_sddl(object_dn)
1097 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1098 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1099 #self.check_modify_inheritance(_ldb, object_dn)
1102 user_name = "testuser4"
1103 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1104 # Open Ldb connection with the tested user
1105 _ldb = self.get_ldb_connection(user_name, "samba123@")
1106 # Create example Configuration container
1107 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1108 self.delete_force(self.ldb_admin, object_dn)
1109 self.create_configuration_container(self.ldb_admin, object_dn, )
1110 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1111 mod = "(A;CI;WDCC;;;AU)"
1112 self.dacl_add_ace(object_dn, mod)
1113 # Create child object with user's credentials
1114 object_dn = "CN=test-specifier1," + object_dn
1115 self.delete_force(self.ldb_admin, object_dn)
1116 self.create_configuration_specifier(_ldb, object_dn)
1117 desc_sddl = self.get_desc_sddl(object_dn)
1118 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1119 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1120 #self.check_modify_inheritance(_ldb, object_dn)
1123 user_name = "testuser5"
1124 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1125 # Open Ldb connection with the tested user
1126 _ldb = self.get_ldb_connection(user_name, "samba123@")
1127 # Create example Configuration container
1128 container_name = "test-container1"
1129 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1130 self.delete_force(self.ldb_admin, object_dn)
1131 self.create_configuration_container(_ldb, object_dn, )
1132 desc_sddl = self.get_desc_sddl(object_dn)
1133 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1134 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1135 self.check_modify_inheritance(_ldb, object_dn)
1138 user_name = "testuser6"
1139 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1140 # Open Ldb connection with the tested user
1141 _ldb = self.get_ldb_connection(user_name, "samba123@")
1142 # Create example Configuration container
1143 container_name = "test-container1"
1144 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1145 self.delete_force(self.ldb_admin, object_dn)
1146 self.create_configuration_container(_ldb, object_dn, )
1147 desc_sddl = self.get_desc_sddl(object_dn)
1148 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1149 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1150 self.check_modify_inheritance(_ldb, object_dn)
1153 user_name = "testuser7"
1154 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1155 # Open Ldb connection with the tested user
1156 _ldb = self.get_ldb_connection(user_name, "samba123@")
1157 # Create example Configuration container
1158 container_name = "test-container1"
1159 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1160 self.delete_force(self.ldb_admin, object_dn)
1161 self.create_configuration_container(_ldb, object_dn, )
1162 desc_sddl = self.get_desc_sddl(object_dn)
1163 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1164 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1165 self.check_modify_inheritance(_ldb, object_dn)
1168 user_name = "testuser8"
1169 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1170 # Open Ldb connection with the tested user
1171 _ldb = self.get_ldb_connection(user_name, "samba123@")
1172 # Create example Configuration container
1173 container_name = "test-container1"
1174 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1175 self.delete_force(self.ldb_admin, object_dn)
1176 self.create_configuration_container(_ldb, object_dn, )
1177 desc_sddl = self.get_desc_sddl(object_dn)
1178 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1179 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]], res)
1180 self.check_modify_inheritance(_ldb, object_dn)
1182 # Custom descriptor tests ##################################################################
1185 user_name = "testuser1"
1186 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"])
1187 # Open Ldb connection with the tested user
1188 _ldb = self.get_ldb_connection(user_name, "samba123@")
1189 # Create example Configuration container
1190 container_name = "test-container1"
1191 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1192 self.delete_force(self.ldb_admin, object_dn)
1193 # Create a custom security descriptor
1194 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1195 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1196 desc_sddl = self.get_desc_sddl(object_dn)
1197 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1198 self.assertEqual("O:DAG:DA", res)
1201 user_name = "testuser2"
1202 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"])
1203 # Open Ldb connection with the tested user
1204 _ldb = self.get_ldb_connection(user_name, "samba123@")
1205 # Create example Configuration container
1206 container_name = "test-container1"
1207 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1208 self.delete_force(self.ldb_admin, object_dn)
1209 # Create a custom security descriptor
1210 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1211 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1212 desc_sddl = self.get_desc_sddl(object_dn)
1213 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1214 self.assertEqual("O:DAG:DA", res)
1217 user_name = "testuser3"
1218 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"])
1219 # Open Ldb connection with the tested user
1220 _ldb = self.get_ldb_connection(user_name, "samba123@")
1221 # Create example Configuration container
1222 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1223 self.delete_force(self.ldb_admin, object_dn)
1224 self.create_configuration_container(self.ldb_admin, object_dn, )
1225 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1226 mod = "(A;;CC;;;AU)"
1227 self.dacl_add_ace(object_dn, mod)
1228 # Create child object with user's credentials
1229 object_dn = "CN=test-specifier1," + object_dn
1230 self.delete_force(self.ldb_admin, object_dn)
1231 # Create a custom security descriptor
1232 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1233 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1234 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1235 desc_sddl = self.get_desc_sddl(object_dn)
1236 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1237 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1240 user_name = "testuser4"
1241 self.check_user_belongs(self.get_users_domain_dn(user_name), [])
1242 # Open Ldb connection with the tested user
1243 _ldb = self.get_ldb_connection(user_name, "samba123@")
1244 # Create example Configuration container
1245 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn
1246 self.delete_force(self.ldb_admin, object_dn)
1247 self.create_configuration_container(self.ldb_admin, object_dn, )
1248 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) )
1249 mod = "(A;;CC;;;AU)"
1250 self.dacl_add_ace(object_dn, mod)
1251 # Create child object with user's credentials
1252 object_dn = "CN=test-specifier1," + object_dn
1253 self.delete_force(self.ldb_admin, object_dn)
1254 # Create a custom security descriptor
1255 # NB! Problematic owner part won't accept DA only <User Sid> !!!
1256 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid)
1257 self.create_configuration_specifier(_ldb, object_dn, desc_sddl)
1258 desc_sddl = self.get_desc_sddl(object_dn)
1259 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1260 self.assertEqual(self.results[self.DS_BEHAVIOR][self._testMethodName[5:]] % str(user_sid), res)
1263 user_name = "testuser5"
1264 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"])
1265 # Open Ldb connection with the tested user
1266 _ldb = self.get_ldb_connection(user_name, "samba123@")
1267 # Create example Configuration container
1268 container_name = "test-container1"
1269 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1270 self.delete_force(self.ldb_admin, object_dn)
1271 # Create a custom security descriptor
1272 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1273 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1274 desc_sddl = self.get_desc_sddl(object_dn)
1275 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1276 self.assertEqual("O:DAG:DA", res)
1279 user_name = "testuser6"
1280 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"])
1281 # Open Ldb connection with the tested user
1282 _ldb = self.get_ldb_connection(user_name, "samba123@")
1283 # Create example Configuration container
1284 container_name = "test-container1"
1285 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1286 self.delete_force(self.ldb_admin, object_dn)
1287 # Create a custom security descriptor
1288 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1289 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1290 desc_sddl = self.get_desc_sddl(object_dn)
1291 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1292 self.assertEqual("O:DAG:DA", res)
1295 user_name = "testuser7"
1296 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"])
1297 # Open Ldb connection with the tested user
1298 _ldb = self.get_ldb_connection(user_name, "samba123@")
1299 # Create example Configuration container
1300 container_name = "test-container1"
1301 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1302 self.delete_force(self.ldb_admin, object_dn)
1303 # Create a custom security descriptor
1304 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1305 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1306 desc_sddl = self.get_desc_sddl(object_dn)
1307 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1308 self.assertEqual("O:DAG:DA", res)
1311 user_name = "testuser8"
1312 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"])
1313 # Open Ldb connection with the tested user
1314 _ldb = self.get_ldb_connection(user_name, "samba123@")
1315 # Create example Configuration container
1316 container_name = "test-container1"
1317 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn)
1318 self.delete_force(self.ldb_admin, object_dn)
1319 # Create a custom security descriptor
1320 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)"
1321 self.create_configuration_container(_ldb, object_dn, desc_sddl)
1322 desc_sddl = self.get_desc_sddl(object_dn)
1323 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1)
1324 self.assertEqual("O:DAG:DA", res)
1326 ########################################################################################
1327 # Inharitance tests for DACL
1329 class DaclDescriptorTests(DescriptorTests):
1331 def deleteAll(self):
1332 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn)
1333 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn)
1336 super(DaclDescriptorTests, self).setUp()
1339 def create_clean_ou(self, object_dn):
1340 """ Base repeating setup for unittests to follow """
1341 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \
1342 expression="distinguishedName=%s" % object_dn)
1343 # Make sure top testing OU has been deleted before starting the test
1344 self.assertEqual(res, [])
1345 self.create_domain_ou(self.ldb_admin, object_dn)
1346 desc_sddl = self.get_desc_sddl(object_dn)
1347 # Make sure there are inheritable ACEs initially
1348 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl)
1349 # Find and remove all inherit ACEs
1350 res = re.findall("\(.*?\)", desc_sddl)
1351 res = [x for x in res if ("CI" in x) or ("OI" in x)]
1353 desc_sddl = desc_sddl.replace(x, "")
1354 # Add flag 'protected' in both DACL and SACL so no inherit ACEs
1355 # can propagate from above
1356 # remove SACL, we are not interested
1357 desc_sddl = desc_sddl.replace(":AI", ":AIP")
1358 self.modify_desc(self.ldb_admin, object_dn, desc_sddl)
1359 # Verify all inheritable ACEs are gone
1360 desc_sddl = self.get_desc_sddl(object_dn)
1361 self.assertFalse("CI" in desc_sddl)
1362 self.assertFalse("OI" in desc_sddl)
1365 """ OU with protected flag and child group. See if the group has inherit ACEs.
1367 ou_dn = "OU=test_inherit_ou," + self.base_dn
1368 group_dn = "CN=test_inherit_group," + ou_dn
1369 # Create inheritable-free OU
1370 self.create_clean_ou(ou_dn)
1371 # Create group child object
1372 self.create_domain_group(self.ldb_admin, group_dn)
1373 # Make sure created group object contains NO inherit ACEs
1374 desc_sddl = self.get_desc_sddl(group_dn)
1375 self.assertFalse("ID" in desc_sddl)
1378 """ OU with protected flag and no inherit ACEs, child group with custom descriptor.
1379 Verify group has custom and default ACEs only.
1381 ou_dn = "OU=test_inherit_ou," + self.base_dn
1382 group_dn = "CN=test_inherit_group," + ou_dn
1383 # Create inheritable-free OU
1384 self.create_clean_ou(ou_dn)
1385 # Create group child object using custom security descriptor
1386 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)"
1387 self.create_domain_group(self.ldb_admin, group_dn, sddl)
1388 # Make sure created group descriptor has NO additional ACEs
1389 desc_sddl = self.get_desc_sddl(group_dn)
1390 self.assertEqual(desc_sddl, sddl)
1391 sddl = "O:AUG:AUD:AI(D;;CC;;;LG)"
1392 self.modify_desc(self.ldb_admin, group_dn, sddl)
1393 desc_sddl = self.get_desc_sddl(group_dn)
1394 self.assertEqual(desc_sddl, sddl)
1397 """ OU with protected flag and add couple non-inheritable ACEs, child group.
1398 See if the group has any of the added ACEs.
1400 ou_dn = "OU=test_inherit_ou," + self.base_dn
1401 group_dn = "CN=test_inherit_group," + ou_dn
1402 # Create inheritable-free OU
1403 self.create_clean_ou(ou_dn)
1404 # Add some custom non-inheritable ACEs
1405 mod = "(D;;WP;;;DU)(A;;RP;;;DU)"
1406 moded = "(D;;CC;;;LG)"
1407 self.dacl_add_ace(ou_dn, mod)
1408 # Verify all inheritable ACEs are gone
1409 desc_sddl = self.get_desc_sddl(ou_dn)
1410 # Create group child object
1411 self.create_domain_group(self.ldb_admin, group_dn)
1412 # Make sure created group object contains NO inherit ACEs
1413 # also make sure the added above non-inheritable ACEs are absent too
1414 desc_sddl = self.get_desc_sddl(group_dn)
1415 self.assertFalse("ID" in desc_sddl)
1416 for x in re.findall("\(.*?\)", mod):
1417 self.assertFalse(x in desc_sddl)
1418 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1419 desc_sddl = self.get_desc_sddl(group_dn)
1420 self.assertFalse("ID" in desc_sddl)
1421 for x in re.findall("\(.*?\)", mod):
1422 self.assertFalse(x in desc_sddl)
1425 """ OU with protected flag and add 'CI' ACE, child group.
1426 See if the group has the added inherited ACE.
1428 ou_dn = "OU=test_inherit_ou," + self.base_dn
1429 group_dn = "CN=test_inherit_group," + ou_dn
1430 # Create inheritable-free OU
1431 self.create_clean_ou(ou_dn)
1432 # Add some custom 'CI' ACE
1433 mod = "(D;CI;WP;;;DU)"
1434 moded = "(D;;CC;;;LG)"
1435 self.dacl_add_ace(ou_dn, mod)
1436 desc_sddl = self.get_desc_sddl(ou_dn)
1437 # Create group child object
1438 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1439 # Make sure created group object contains only the above inherited ACE
1440 # that we've added manually
1441 desc_sddl = self.get_desc_sddl(group_dn)
1442 mod = mod.replace(";CI;", ";CIID;")
1443 self.assertTrue(mod in desc_sddl)
1444 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1445 desc_sddl = self.get_desc_sddl(group_dn)
1446 self.assertTrue(moded in desc_sddl)
1447 self.assertTrue(mod in desc_sddl)
1450 """ OU with protected flag and add 'OI' ACE, child group.
1451 See if the group has the added inherited ACE.
1453 ou_dn = "OU=test_inherit_ou," + self.base_dn
1454 group_dn = "CN=test_inherit_group," + ou_dn
1455 # Create inheritable-free OU
1456 self.create_clean_ou(ou_dn)
1457 # Add some custom 'CI' ACE
1458 mod = "(D;OI;WP;;;DU)"
1459 moded = "(D;;CC;;;LG)"
1460 self.dacl_add_ace(ou_dn, mod)
1461 desc_sddl = self.get_desc_sddl(ou_dn)
1462 # Create group child object
1463 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1464 # Make sure created group object contains only the above inherited ACE
1465 # that we've added manually
1466 desc_sddl = self.get_desc_sddl(group_dn)
1467 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1468 self.assertTrue(mod in desc_sddl)
1469 self.modify_desc(self.ldb_admin, group_dn, "D:" +moded)
1470 desc_sddl = self.get_desc_sddl(group_dn)
1471 self.assertTrue(moded in desc_sddl)
1472 self.assertTrue(mod in desc_sddl)
1475 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group.
1476 See if the group has the added inherited ACE.
1478 ou_dn = "OU=test_inherit_ou," + self.base_dn
1479 group_dn = "CN=test_inherit_group," + ou_dn
1480 # Create inheritable-free OU
1481 self.create_clean_ou(ou_dn)
1482 # Add some custom 'OA' for 'name' attribute & 'CI' ACE
1483 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1484 moded = "(D;;CC;;;LG)"
1485 self.dacl_add_ace(ou_dn, mod)
1486 desc_sddl = self.get_desc_sddl(ou_dn)
1487 # Create group child object
1488 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1489 # Make sure created group object contains only the above inherited ACE
1490 # that we've added manually
1491 desc_sddl = self.get_desc_sddl(group_dn)
1492 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1493 self.assertTrue(mod in desc_sddl)
1494 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1495 desc_sddl = self.get_desc_sddl(group_dn)
1496 self.assertTrue(moded in desc_sddl)
1497 self.assertTrue(mod in desc_sddl)
1500 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group.
1501 See if the group has the added inherited ACE.
1503 ou_dn = "OU=test_inherit_ou," + self.base_dn
1504 group_dn = "CN=test_inherit_group," + ou_dn
1505 # Create inheritable-free OU
1506 self.create_clean_ou(ou_dn)
1507 # Add some custom 'OA' for 'name' attribute & 'OI' ACE
1508 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
1509 moded = "(D;;CC;;;LG)"
1510 self.dacl_add_ace(ou_dn, mod)
1511 desc_sddl = self.get_desc_sddl(ou_dn)
1512 # Create group child object
1513 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1514 # Make sure created group object contains only the above inherited ACE
1515 # that we've added manually
1516 desc_sddl = self.get_desc_sddl(group_dn)
1517 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1518 self.assertTrue(mod in desc_sddl)
1519 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1520 desc_sddl = self.get_desc_sddl(group_dn)
1521 self.assertTrue(moded in desc_sddl)
1522 self.assertTrue(mod in desc_sddl)
1525 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group.
1526 See if the group has the added inherited ACE.
1528 ou_dn = "OU=test_inherit_ou," + self.base_dn
1529 group_dn = "CN=test_inherit_group," + ou_dn
1530 # Create inheritable-free OU
1531 self.create_clean_ou(ou_dn)
1532 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE
1533 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1534 moded = "(D;;CC;;;LG)"
1535 self.dacl_add_ace(ou_dn, mod)
1536 desc_sddl = self.get_desc_sddl(ou_dn)
1537 # Create group child object
1538 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1539 # Make sure created group object contains only the above inherited ACE
1540 # that we've added manually
1541 desc_sddl = self.get_desc_sddl(group_dn)
1542 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like
1543 self.assertTrue(mod in desc_sddl)
1544 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1545 desc_sddl = self.get_desc_sddl(group_dn)
1546 self.assertTrue(moded in desc_sddl)
1547 self.assertTrue(mod in desc_sddl)
1550 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group.
1551 See if the group has the added inherited ACE.
1553 ou_dn = "OU=test_inherit_ou," + self.base_dn
1554 group_dn = "CN=test_inherit_group," + ou_dn
1555 # Create inheritable-free OU
1556 self.create_clean_ou(ou_dn)
1557 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE
1558 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)"
1559 moded = "(D;;CC;;;LG)"
1560 self.dacl_add_ace(ou_dn, mod)
1561 desc_sddl = self.get_desc_sddl(ou_dn)
1562 # Create group child object
1563 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1564 # Make sure created group object contains only the above inherited ACE
1565 # that we've added manually
1566 desc_sddl = self.get_desc_sddl(group_dn)
1567 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like
1568 self.assertTrue(mod in desc_sddl)
1569 self.modify_desc(self.ldb_admin, group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded)
1570 desc_sddl = self.get_desc_sddl(group_dn)
1571 self.assertTrue(moded in desc_sddl)
1572 self.assertTrue(mod in desc_sddl)
1575 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group.
1576 See if the group has the added inherited ACE.
1578 ou_dn = "OU=test_inherit_ou," + self.base_dn
1579 group_dn = "CN=test_inherit_group," + ou_dn
1580 # Create inheritable-free OU
1581 self.create_clean_ou(ou_dn)
1582 # Add some custom 'CI' ACE
1583 mod = "(D;CI;WP;;;CO)"
1584 moded = "(D;;CC;;;LG)"
1585 self.dacl_add_ace(ou_dn, mod)
1586 desc_sddl = self.get_desc_sddl(ou_dn)
1587 # Create group child object
1588 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)")
1589 # Make sure created group object contains only the above inherited ACE(s)
1590 # that we've added manually
1591 desc_sddl = self.get_desc_sddl(group_dn)
1592 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl)
1593 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1594 self.modify_desc(self.ldb_admin, group_dn, "D:" + moded)
1595 desc_sddl = self.get_desc_sddl(group_dn)
1596 self.assertTrue(moded in desc_sddl)
1597 self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl)
1598 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl)
1601 """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored.
1603 ou_dn = "OU=test_inherit_ou," + self.base_dn
1604 group_dn = "CN=test_inherit_group," + ou_dn
1605 self.create_clean_ou(ou_dn)
1606 # Add some custom ACE
1607 mod = "D:(D;CIIO;WP;;;CO)(A;ID;WP;;;AU)"
1608 self.create_domain_group(self.ldb_admin, group_dn, mod)
1609 # Make sure created group object does not contain the ID ace
1610 desc_sddl = self.get_desc_sddl(group_dn)
1611 self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl)
1614 """ Provide ACE with CO SID, should be expanded and replaced
1616 ou_dn = "OU=test_inherit_ou," + self.base_dn
1617 group_dn = "CN=test_inherit_group," + ou_dn
1618 # Create inheritable-free OU
1619 self.create_clean_ou(ou_dn)
1620 # Add some custom 'CI' ACE
1621 mod = "D:(D;CI;WP;;;CO)"
1622 self.create_domain_group(self.ldb_admin, group_dn, mod)
1623 desc_sddl = self.get_desc_sddl(group_dn)
1624 self.assertTrue("(D;;WP;;;DA)(D;CIIO;WP;;;CO)" in desc_sddl)
1627 """ Provide ACE with IO flag, should be ignored
1629 ou_dn = "OU=test_inherit_ou," + self.base_dn
1630 group_dn = "CN=test_inherit_group," + ou_dn
1631 # Create inheritable-free OU
1632 self.create_clean_ou(ou_dn)
1633 # Add some custom 'CI' ACE
1634 mod = "D:(D;CIIO;WP;;;CO)"
1635 self.create_domain_group(self.ldb_admin, group_dn, mod)
1636 # Make sure created group object contains only the above inherited ACE(s)
1637 # that we've added manually
1638 desc_sddl = self.get_desc_sddl(group_dn)
1639 self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl)
1640 self.assertFalse("(D;;WP;;;DA)" in desc_sddl)
1641 self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl)
1644 """ Provide ACE with IO flag, should be ignored
1646 ou_dn = "OU=test_inherit_ou," + self.base_dn
1647 group_dn = "CN=test_inherit_group," + ou_dn
1648 # Create inheritable-free OU
1649 self.create_clean_ou(ou_dn)
1650 mod = "D:(D;IO;WP;;;DA)"
1651 self.create_domain_group(self.ldb_admin, group_dn, mod)
1652 # Make sure created group object contains only the above inherited ACE(s)
1653 # that we've added manually
1654 desc_sddl = self.get_desc_sddl(group_dn)
1655 self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl)
1657 ########################################################################################
1660 class SdFlagsDescriptorTests(DescriptorTests):
1661 def deleteAll(self):
1662 self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
1665 super(SdFlagsDescriptorTests, self).setUp()
1666 self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
1670 """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
1671 See that only the owner has been changed.
1673 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1674 self.create_domain_ou(self.ldb_admin, ou_dn)
1675 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1676 desc_sddl = self.get_desc_sddl(ou_dn)
1677 # make sure we have modified the owner
1678 self.assertTrue("O:AU" in desc_sddl)
1679 # make sure nothing else has been modified
1680 self.assertFalse("G:AU" in desc_sddl)
1681 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1682 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1685 """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
1686 See that only the owner has been changed.
1688 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1689 self.create_domain_ou(self.ldb_admin, ou_dn)
1690 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1691 desc_sddl = self.get_desc_sddl(ou_dn)
1692 # make sure we have modified the group
1693 self.assertTrue("G:AU" in desc_sddl)
1694 # make sure nothing else has been modified
1695 self.assertFalse("O:AU" in desc_sddl)
1696 self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
1697 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1700 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1701 See that only the owner has been changed.
1703 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1704 self.create_domain_ou(self.ldb_admin, ou_dn)
1705 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1706 desc_sddl = self.get_desc_sddl(ou_dn)
1707 # make sure we have modified the DACL
1708 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1709 # make sure nothing else has been modified
1710 self.assertFalse("O:AU" in desc_sddl)
1711 self.assertFalse("G:AU" in desc_sddl)
1712 self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
1715 """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
1716 See that only the owner has been changed.
1718 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1719 self.create_domain_ou(self.ldb_admin, ou_dn)
1720 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1721 desc_sddl = self.get_desc_sddl(ou_dn)
1722 # make sure we have modified the DACL
1723 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1724 # make sure nothing else has been modified
1725 self.assertFalse("O:AU" in desc_sddl)
1726 self.assertFalse("G:AU" in desc_sddl)
1727 self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
1730 """ Modify a descriptor with 0x0 set.
1731 Contrary to logic this is interpreted as no control,
1732 which is the same as 0xF
1734 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1735 self.create_domain_ou(self.ldb_admin, ou_dn)
1736 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
1737 desc_sddl = self.get_desc_sddl(ou_dn)
1738 # make sure we have modified the DACL
1739 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1740 # make sure nothing else has been modified
1741 self.assertTrue("O:AU" in desc_sddl)
1742 self.assertTrue("G:AU" in desc_sddl)
1743 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1746 """ Modify a descriptor with 0xF set.
1748 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1749 self.create_domain_ou(self.ldb_admin, ou_dn)
1750 self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
1751 desc_sddl = self.get_desc_sddl(ou_dn)
1752 # make sure we have modified the DACL
1753 self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
1754 # make sure nothing else has been modified
1755 self.assertTrue("O:AU" in desc_sddl)
1756 self.assertTrue("G:AU" in desc_sddl)
1757 self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
1760 """ Read a descriptor with OWNER_SECURITY_INFORMATION
1761 Only the owner part should be returned.
1763 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1764 self.create_domain_ou(self.ldb_admin, ou_dn)
1765 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
1766 # make sure we have read the owner
1767 self.assertTrue("O:" in desc_sddl)
1768 # make sure we have read nothing else
1769 self.assertFalse("G:" in desc_sddl)
1770 self.assertFalse("D:" in desc_sddl)
1771 self.assertFalse("S:" in desc_sddl)
1774 """ Read a descriptor with GROUP_SECURITY_INFORMATION
1775 Only the group part should be returned.
1777 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1778 self.create_domain_ou(self.ldb_admin, ou_dn)
1779 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
1780 # make sure we have read the owner
1781 self.assertTrue("G:" in desc_sddl)
1782 # make sure we have read nothing else
1783 self.assertFalse("O:" in desc_sddl)
1784 self.assertFalse("D:" in desc_sddl)
1785 self.assertFalse("S:" in desc_sddl)
1788 """ Read a descriptor with SACL_SECURITY_INFORMATION
1789 Only the sacl part should be returned.
1791 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1792 self.create_domain_ou(self.ldb_admin, ou_dn)
1793 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
1794 # make sure we have read the owner
1795 self.assertTrue("S:" in desc_sddl)
1796 # make sure we have read nothing else
1797 self.assertFalse("O:" in desc_sddl)
1798 self.assertFalse("D:" in desc_sddl)
1799 self.assertFalse("G:" in desc_sddl)
1802 """ Read a descriptor with DACL_SECURITY_INFORMATION
1803 Only the dacl part should be returned.
1805 ou_dn = "OU=test_sdflags_ou," + self.base_dn
1806 self.create_domain_ou(self.ldb_admin, ou_dn)
1807 desc_sddl = self.get_desc_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
1808 # make sure we have read the owner
1809 self.assertTrue("D:" in desc_sddl)
1810 # make sure we have read nothing else
1811 self.assertFalse("O:" in desc_sddl)
1812 self.assertFalse("S:" in desc_sddl)
1813 self.assertFalse("G:" in desc_sddl)
1816 class RightsAttributesTests(DescriptorTests):
1818 def deleteAll(self):
1819 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr"))
1820 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser_attr2"))
1821 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn)
1824 super(RightsAttributesTests, self).setUp()
1828 self.create_enable_user("testuser_attr")
1829 # User 2, Domain Admins
1830 self.create_enable_user("testuser_attr2")
1831 self.ldb_admin.add_remove_group_members("Domain Admins",
1833 add_members_operation=True)
1835 def test_sDRightsEffective(self):
1836 object_dn = "OU=test_domain_ou1," + self.base_dn
1837 self.delete_force(self.ldb_admin, object_dn)
1838 self.create_domain_ou(self.ldb_admin, object_dn)
1839 print self.get_users_domain_dn("testuser_attr")
1840 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1841 #give testuser1 read access so attributes can be retrieved
1842 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1843 self.dacl_add_ace(object_dn, mod)
1844 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1845 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1846 attrs=["sDRightsEffective"])
1847 #user whould have no rights at all
1848 self.assertEquals(len(res), 1)
1849 self.assertEquals(res[0]["sDRightsEffective"][0], "0")
1850 #give the user Write DACL and see what happens
1851 mod = "(A;CI;WD;;;%s)" % str(user_sid)
1852 self.dacl_add_ace(object_dn, mod)
1853 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1854 attrs=["sDRightsEffective"])
1855 #user whould have DACL_SECURITY_INFORMATION
1856 self.assertEquals(len(res), 1)
1857 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % SECINFO_DACL)
1858 #give the user Write Owners and see what happens
1859 mod = "(A;CI;WO;;;%s)" % str(user_sid)
1860 self.dacl_add_ace(object_dn, mod)
1861 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1862 attrs=["sDRightsEffective"])
1863 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1864 self.assertEquals(len(res), 1)
1865 self.assertEquals(res[0]["sDRightsEffective"][0], ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
1866 #no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
1867 _ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
1868 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1869 attrs=["sDRightsEffective"])
1870 #user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
1871 self.assertEquals(len(res), 1)
1872 self.assertEquals(res[0]["sDRightsEffective"][0], \
1873 ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
1875 def test_allowedChildClassesEffective(self):
1876 object_dn = "OU=test_domain_ou1," + self.base_dn
1877 self.delete_force(self.ldb_admin, object_dn)
1878 self.create_domain_ou(self.ldb_admin, object_dn)
1879 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1880 #give testuser1 read access so attributes can be retrieved
1881 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1882 self.dacl_add_ace(object_dn, mod)
1883 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1884 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1885 attrs=["allowedChildClassesEffective"])
1886 #there should be no allowed child classes
1887 self.assertEquals(len(res), 1)
1888 self.assertFalse("allowedChildClassesEffective" in res[0].keys())
1889 #give the user the right to create children of type user
1890 mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1891 self.dacl_add_ace(object_dn, mod)
1892 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1893 attrs=["allowedChildClassesEffective"])
1894 # allowedChildClassesEffective should only have one value, user
1895 self.assertEquals(len(res), 1)
1896 self.assertEquals(len(res[0]["allowedChildClassesEffective"]), 1)
1897 self.assertEquals(res[0]["allowedChildClassesEffective"][0], "user")
1899 def test_allowedAttributesEffective(self):
1900 object_dn = "OU=test_domain_ou1," + self.base_dn
1901 self.delete_force(self.ldb_admin, object_dn)
1902 self.create_domain_ou(self.ldb_admin, object_dn)
1903 user_sid = self.get_object_sid(self.get_users_domain_dn("testuser_attr"))
1904 #give testuser1 read access so attributes can be retrieved
1905 mod = "(A;CI;RP;;;%s)" % str(user_sid)
1906 self.dacl_add_ace(object_dn, mod)
1907 _ldb = self.get_ldb_connection("testuser_attr", "samba123@")
1908 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1909 attrs=["allowedAttributesEffective"])
1910 #there should be no allowed attributes
1911 self.assertEquals(len(res), 1)
1912 self.assertFalse("allowedAttributesEffective" in res[0].keys())
1913 #give the user the right to write displayName and managedBy
1914 mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid)
1915 mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid)
1916 # also rights to modify an read only attribute, fromEntry
1917 mod3 = "(OA;CI;WP;9a7ad949-ca53-11d1-bbd0-0080c76670c0;;%s)" % str(user_sid)
1918 self.dacl_add_ace(object_dn, mod + mod2 + mod3)
1919 res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
1920 attrs=["allowedAttributesEffective"])
1921 # value should only contain user and managedBy
1922 self.assertEquals(len(res), 1)
1923 self.assertEquals(len(res[0]["allowedAttributesEffective"]), 2)
1924 self.assertTrue("displayName" in res[0]["allowedAttributesEffective"])
1925 self.assertTrue("managedBy" in res[0]["allowedAttributesEffective"])
1927 if not "://" in host:
1928 if os.path.isfile(host):
1929 host = "tdb://%s" % host
1931 host = "ldap://%s" % host
1933 # use 'paged_search' module when connecting remotely
1934 if host.lower().startswith("ldap://"):
1935 ldb_options = ["modules:paged_searches"]
1939 session_info=system_session(),
1941 options=ldb_options)
1943 runner = SubunitTestRunner()
1945 if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful():
1947 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
1949 if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
1951 if not runner.run(unittest.makeSuite(RightsAttributesTests)).wasSuccessful():