lib/ldb-samba/tests/match_rules.py

   1 #!/usr/bin/env python
   2
   3 import optparse
   4 import sys
   5 import os
   6 import unittest
   7 import samba
   8 import samba.getopt as options
   9
  10 from samba.tests.subunitrun import SubunitOptions, TestProgram
  11
  12 from samba.tests import delete_force
  13 from samba.dcerpc import security, misc
  14 from samba.samdb import SamDB
  15 from samba.auth import system_session
  16 from samba.ndr import ndr_unpack
  17 from ldb import Message, MessageElement, Dn
  18 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
  19 from ldb import SCOPE_BASE, SCOPE_SUBTREE
  20
  21 class MatchRulesTests(samba.tests.TestCase):
  22     def setUp(self):
  23         super(MatchRulesTests, self).setUp()
  24         self.lp = lp
  25         self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
  26         self.base_dn = self.ldb.domain_dn()
  27         self.ou = "ou=matchrulestest,%s" % self.base_dn
  28         self.ou_users = "ou=users,%s" % self.ou
  29         self.ou_groups = "ou=groups,%s" % self.ou
  30         self.ou_computers = "ou=computers,%s" % self.ou
  31
  32         # Add a organizational unit to create objects
  33         self.ldb.add({
  34             "dn": self.ou,
  35             "objectclass": "organizationalUnit"})
  36
  37         # Add the following OU hierarchy and set otherWellKnownObjects,
  38         # which has BinaryDN syntax:
  39         #
  40         # o1
  41         # |--> o2
  42         # |    |--> o3
  43         # |    |    |-->o4
  44
  45         self.ldb.add({
  46             "dn": "OU=o1,%s" % self.ou,
  47             "objectclass": "organizationalUnit"})
  48         self.ldb.add({
  49             "dn": "OU=o2,OU=o1,%s" % self.ou,
  50             "objectclass": "organizationalUnit"})
  51         self.ldb.add({
  52             "dn": "OU=o3,OU=o2,OU=o1,%s" % self.ou,
  53             "objectclass": "organizationalUnit"})
  54         self.ldb.add({
  55             "dn": "OU=o4,OU=o3,OU=o2,OU=o1,%s" % self.ou,
  56             "objectclass": "organizationalUnit"})
  57
  58         m = Message()
  59         m.dn = Dn(self.ldb, self.ou)
  60         m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000001:OU=o1,%s" % self.ou,
  61                                      FLAG_MOD_ADD, "otherWellKnownObjects")
  62         self.ldb.modify(m)
  63
  64         m = Message()
  65         m.dn = Dn(self.ldb, "OU=o1,%s" % self.ou)
  66         m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000002:OU=o2,OU=o1,%s" % self.ou,
  67                                      FLAG_MOD_ADD, "otherWellKnownObjects")
  68         self.ldb.modify(m)
  69
  70         m = Message()
  71         m.dn = Dn(self.ldb, "OU=o2,OU=o1,%s" % self.ou)
  72         m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000003:OU=o3,OU=o2,OU=o1,%s" % self.ou,
  73                                      FLAG_MOD_ADD, "otherWellKnownObjects")
  74         self.ldb.modify(m)
  75
  76         m = Message()
  77         m.dn = Dn(self.ldb, "OU=o3,OU=o2,OU=o1,%s" % self.ou)
  78         m["otherWellKnownObjects"] = MessageElement("B:32:00000000000000000000000000000004:OU=o4,OU=o3,OU=o2,OU=o1,%s" % self.ou,
  79                                      FLAG_MOD_ADD, "otherWellKnownObjects")
  80         self.ldb.modify(m)
  81
  82         # Create OU for users and groups
  83         self.ldb.add({
  84             "dn": self.ou_users,
  85             "objectclass": "organizationalUnit"})
  86         self.ldb.add({
  87             "dn": self.ou_groups,
  88             "objectclass": "organizationalUnit"})
  89         self.ldb.add({
  90             "dn": self.ou_computers,
  91             "objectclass": "organizationalUnit"})
  92
  93         # Add four groups
  94         self.ldb.add({
  95             "dn": "cn=g1,%s" % self.ou_groups,
  96             "objectclass": "group" })
  97         self.ldb.add({
  98             "dn": "cn=g2,%s" % self.ou_groups,
  99             "objectclass": "group" })
 100         self.ldb.add({
 101             "dn": "cn=g3,%s" % self.ou_groups,
 102             "objectclass": "group" })
 103         self.ldb.add({
 104             "dn": "cn=g4,%s" % self.ou_groups,
 105             "objectclass": "group" })
 106
 107         # Add four users
 108         self.ldb.add({
 109             "dn": "cn=u1,%s" % self.ou_users,
 110             "objectclass": "user"})
 111         self.ldb.add({
 112             "dn": "cn=u2,%s" % self.ou_users,
 113             "objectclass": "user"})
 114         self.ldb.add({
 115             "dn": "cn=u3,%s" % self.ou_users,
 116             "objectclass": "user"})
 117         self.ldb.add({
 118             "dn": "cn=u4,%s" % self.ou_users,
 119             "objectclass": "user"})
 120
 121         # Add computers to test Object(DN-Binary) syntax
 122         self.ldb.add({
 123             "dn": "cn=c1,%s" % self.ou_computers,
 124             "objectclass": "computer",
 125             "dNSHostName": "c1.%s" % self.lp.get("realm").lower(),
 126             "servicePrincipalName": ["HOST/c1"],
 127             "sAMAccountName": "c1$",
 128             "userAccountControl": "83890178"})
 129
 130         self.ldb.add({
 131             "dn": "cn=c2,%s" % self.ou_computers,
 132             "objectclass": "computer",
 133             "dNSHostName": "c2.%s" % self.lp.get("realm").lower(),
 134             "servicePrincipalName": ["HOST/c2"],
 135             "sAMAccountName": "c2$",
 136             "userAccountControl": "83890178"})
 137
 138         self.ldb.add({
 139             "dn": "cn=c3,%s" % self.ou_computers,
 140             "objectclass": "computer",
 141             "dNSHostName": "c3.%s" % self.lp.get("realm").lower(),
 142             "servicePrincipalName": ["HOST/c3"],
 143             "sAMAccountName": "c3$",
 144             "userAccountControl": "83890178"})
 145
 146         # Create the following hierarchy:
 147         # g4
 148         # |--> u4
 149         # |--> g3
 150         # |    |--> u3
 151         # |    |--> g2
 152         # |    |    |--> u2
 153         # |    |    |--> g1
 154         # |    |    |    |--> u1
 155
 156         # u1 member of g1
 157         m = Message()
 158         m.dn = Dn(self.ldb, "cn=g1,%s" % self.ou_groups)
 159         m["member"] = MessageElement("cn=u1,%s" % self.ou_users,
 160                                      FLAG_MOD_ADD, "member")
 161         self.ldb.modify(m)
 162
 163         # u2 member of g2
 164         m = Message()
 165         m.dn = Dn(self.ldb, "cn=g2,%s" % self.ou_groups)
 166         m["member"] = MessageElement("cn=u2,%s" % self.ou_users,
 167                                      FLAG_MOD_ADD, "member")
 168         self.ldb.modify(m)
 169
 170         # u3 member of g3
 171         m = Message()
 172         m.dn = Dn(self.ldb, "cn=g3,%s" % self.ou_groups)
 173         m["member"] = MessageElement("cn=u3,%s" % self.ou_users,
 174                                      FLAG_MOD_ADD, "member")
 175         self.ldb.modify(m)
 176
 177         # u4 member of g4
 178         m = Message()
 179         m.dn = Dn(self.ldb, "cn=g4,%s" % self.ou_groups)
 180         m["member"] = MessageElement("cn=u4,%s" % self.ou_users,
 181                                      FLAG_MOD_ADD, "member")
 182         self.ldb.modify(m)
 183
 184         # g3 member of g4
 185         m = Message()
 186         m.dn = Dn(self.ldb, "cn=g4,%s" % self.ou_groups)
 187         m["member"] = MessageElement("cn=g3,%s" % self.ou_groups,
 188                                      FLAG_MOD_ADD, "member")
 189         self.ldb.modify(m)
 190
 191         # g2 member of g3
 192         m = Message()
 193         m.dn = Dn(self.ldb, "cn=g3,%s" % self.ou_groups)
 194         m["member"] = MessageElement("cn=g2,%s" % self.ou_groups,
 195                                      FLAG_MOD_ADD, "member")
 196         self.ldb.modify(m)
 197
 198         # g1 member of g2
 199         m = Message()
 200         m.dn = Dn(self.ldb, "cn=g2,%s" % self.ou_groups)
 201         m["member"] = MessageElement("cn=g1,%s" % self.ou_groups,
 202                                      FLAG_MOD_ADD, "member")
 203         self.ldb.modify(m)
 204
 205         # The msDS-RevealedUsers is owned by system and cannot be modified
 206         # directly. Set the schemaUpgradeInProgress flag as workaround
 207         # and create this hierarchy:
 208         # ou=computers
 209         # |-> c1
 210         # |   |->c2
 211         # |   |  |->u1
 212
 213         #
 214         # While appropriate for this test, this is NOT a good practice
 215         # in general.  This is only done here because the alternative
 216         # is to make a schema modification.
 217         #
 218         # IF/WHEN Samba protects this attribute better, this
 219         # particular part of the test can be removed, as the same code
 220         # is covered by the addressBookRoots2 case well enough.
 221         #
 222         m = Message()
 223         m.dn = Dn(self.ldb, "")
 224         m["e1"] = MessageElement("1", FLAG_MOD_REPLACE, "schemaUpgradeInProgress")
 225         self.ldb.modify(m)
 226
 227         m = Message()
 228         m.dn = Dn(self.ldb, "cn=c2,%s" % self.ou_computers)
 229         m["e1"] = MessageElement("B:8:01010101:cn=c3,%s" % self.ou_computers,
 230                                  FLAG_MOD_ADD, "msDS-RevealedUsers")
 231         self.ldb.modify(m)
 232
 233         m = Message()
 234         m.dn = Dn(self.ldb, "cn=c1,%s" % self.ou_computers)
 235         m["e1"] = MessageElement("B:8:01010101:cn=c2,%s" % self.ou_computers,
 236                                  FLAG_MOD_ADD, "msDS-RevealedUsers")
 237         self.ldb.modify(m)
 238
 239         m = Message()
 240         m.dn = Dn(self.ldb, "")
 241         m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress")
 242         self.ldb.modify(m)
 243
 244         # Add a couple of ms-Exch-Configuration-Container to test forward-link
 245         # attributes without backward link (addressBookRoots2)
 246         # e1
 247         # |--> e2
 248         # |    |--> c1
 249         self.ldb.add({
 250             "dn": "cn=e1,%s" % self.ou,
 251             "objectclass": "msExchConfigurationContainer"})
 252         self.ldb.add({
 253             "dn": "cn=e2,%s" % self.ou,
 254             "objectclass": "msExchConfigurationContainer"})
 255
 256         m = Message()
 257         m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
 258         m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
 259                                  FLAG_MOD_ADD, "addressBookRoots2")
 260         self.ldb.modify(m)
 261
 262         m = Message()
 263         m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
 264         m["e1"] = MessageElement("cn=e2,%s" % self.ou,
 265                                  FLAG_MOD_ADD, "addressBookRoots2")
 266         self.ldb.modify(m)
 267
 268     def tearDown(self):
 269         super(MatchRulesTests, self).tearDown()
 270         delete_force(self.ldb, "cn=u4,%s" % self.ou_users)
 271         delete_force(self.ldb, "cn=u3,%s" % self.ou_users)
 272         delete_force(self.ldb, "cn=u2,%s" % self.ou_users)
 273         delete_force(self.ldb, "cn=u1,%s" % self.ou_users)
 274         delete_force(self.ldb, "cn=g4,%s" % self.ou_groups)
 275         delete_force(self.ldb, "cn=g3,%s" % self.ou_groups)
 276         delete_force(self.ldb, "cn=g2,%s" % self.ou_groups)
 277         delete_force(self.ldb, "cn=g1,%s" % self.ou_groups)
 278         delete_force(self.ldb, "cn=c1,%s" % self.ou_computers)
 279         delete_force(self.ldb, "cn=c2,%s" % self.ou_computers)
 280         delete_force(self.ldb, "cn=c3,%s" % self.ou_computers)
 281         delete_force(self.ldb, self.ou_users)
 282         delete_force(self.ldb, self.ou_groups)
 283         delete_force(self.ldb, self.ou_computers)
 284         delete_force(self.ldb, "OU=o4,OU=o3,OU=o2,OU=o1,%s" % self.ou)
 285         delete_force(self.ldb, "OU=o3,OU=o2,OU=o1,%s" % self.ou)
 286         delete_force(self.ldb, "OU=o2,OU=o1,%s" % self.ou)
 287         delete_force(self.ldb, "OU=o1,%s" % self.ou)
 288         delete_force(self.ldb, "CN=e2,%s" % self.ou)
 289         delete_force(self.ldb, "CN=e1,%s" % self.ou)
 290         delete_force(self.ldb, self.ou)
 291
 292     def test_u1_member_of_g4(self):
 293         # Search without transitive match must return 0 results
 294         res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
 295                         scope=SCOPE_BASE,
 296                         expression="member=cn=u1,%s" % self.ou_users)
 297         self.assertTrue(len(res1) == 0)
 298
 299         res1 = self.ldb.search("cn=u1,%s" % self.ou_users,
 300                         scope=SCOPE_BASE,
 301                         expression="memberOf=cn=g4,%s" % self.ou_groups)
 302         self.assertTrue(len(res1) == 0)
 303
 304         # Search with transitive match must return 1 results
 305         res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
 306                         scope=SCOPE_BASE,
 307                         expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
 308         self.assertTrue(len(res1) == 1)
 309
 310         res1 = self.ldb.search("cn=u1,%s" % self.ou_users,
 311                         scope=SCOPE_BASE,
 312                         expression="memberOf:1.2.840.113556.1.4.1941:=cn=g4,%s" % self.ou_groups)
 313         self.assertTrue(len(res1) == 1)
 314
 315     def test_g1_member_of_g4(self):
 316         # Search without transitive match must return 0 results
 317         res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
 318                         scope=SCOPE_BASE,
 319                         expression="member=cn=g1,%s" % self.ou_groups)
 320         self.assertTrue(len(res1) == 0)
 321
 322         res1 = self.ldb.search("cn=g1,%s" % self.ou_groups,
 323                         scope=SCOPE_BASE,
 324                         expression="memberOf=cn=g4,%s" % self.ou_groups)
 325         self.assertTrue(len(res1) == 0)
 326
 327         # Search with transitive match must return 1 results
 328         res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
 329                         scope=SCOPE_BASE,
 330                         expression="member:1.2.840.113556.1.4.1941:=cn=g1,%s" % self.ou_groups)
 331         self.assertTrue(len(res1) == 1)
 332
 333         res1 = self.ldb.search("cn=g1,%s" % self.ou_groups,
 334                         scope=SCOPE_BASE,
 335                         expression="memberOf:1.2.840.113556.1.4.1941:=cn=g4,%s" % self.ou_groups)
 336         self.assertTrue(len(res1) == 1)
 337
 338     def test_u1_groups(self):
 339         res1 = self.ldb.search(self.ou_groups,
 340                         scope=SCOPE_SUBTREE,
 341                         expression="member=cn=u1,%s" % self.ou_users)
 342         self.assertTrue(len(res1) == 1)
 343
 344         res1 = self.ldb.search(self.ou_groups,
 345                         scope=SCOPE_SUBTREE,
 346                         expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
 347         self.assertTrue(len(res1) == 4)
 348
 349     def test_u2_groups(self):
 350         res1 = self.ldb.search(self.ou_groups,
 351                         scope=SCOPE_SUBTREE,
 352                         expression="member=cn=u2,%s" % self.ou_users)
 353         self.assertTrue(len(res1) == 1)
 354
 355         res1 = self.ldb.search(self.ou_groups,
 356                         scope=SCOPE_SUBTREE,
 357                         expression="member:1.2.840.113556.1.4.1941:=cn=u2,%s" % self.ou_users)
 358         self.assertTrue(len(res1) == 3)
 359
 360     def test_u3_groups(self):
 361         res1 = self.ldb.search(self.ou_groups,
 362                         scope=SCOPE_SUBTREE,
 363                         expression="member=cn=u3,%s" % self.ou_users)
 364         self.assertTrue(len(res1) == 1)
 365
 366         res1 = self.ldb.search(self.ou_groups,
 367                         scope=SCOPE_SUBTREE,
 368                         expression="member:1.2.840.113556.1.4.1941:=cn=u3,%s" % self.ou_users)
 369         self.assertTrue(len(res1) == 2)
 370
 371     def test_u4_groups(self):
 372         res1 = self.ldb.search(self.ou_groups,
 373                         scope=SCOPE_SUBTREE,
 374                         expression="member=cn=u4,%s" % self.ou_users)
 375         self.assertTrue(len(res1) == 1)
 376
 377         res1 = self.ldb.search(self.ou_groups,
 378                         scope=SCOPE_SUBTREE,
 379                         expression="member:1.2.840.113556.1.4.1941:=cn=u4,%s" % self.ou_users)
 380         self.assertTrue(len(res1) == 1)
 381
 382     def test_extended_dn(self):
 383         res1 = self.ldb.search("cn=u1,%s" % self.ou_users,
 384                         scope=SCOPE_BASE,
 385                         expression="objectClass=*",
 386                         attrs=['objectSid', 'objectGUID'])
 387         self.assertTrue(len(res1) == 1)
 388
 389         sid = self.ldb.schema_format_value("objectSid", res1[0]["objectSid"][0])
 390         guid = self.ldb.schema_format_value("objectGUID", res1[0]['objectGUID'][0])
 391
 392         res1 = self.ldb.search(self.ou_groups,
 393                         scope=SCOPE_SUBTREE,
 394                         expression="member=<SID=%s>" % sid)
 395         self.assertTrue(len(res1) == 1)
 396
 397         res1 = self.ldb.search(self.ou_groups,
 398                         scope=SCOPE_SUBTREE,
 399                         expression="member=<GUID=%s>" % guid)
 400         self.assertTrue(len(res1) == 1)
 401
 402         res1 = self.ldb.search(self.ou_groups,
 403                         scope=SCOPE_SUBTREE,
 404                         expression="member:1.2.840.113556.1.4.1941:=<SID=%s>" % sid)
 405         self.assertTrue(len(res1) == 4)
 406
 407         res1 = self.ldb.search(self.ou_groups,
 408                         scope=SCOPE_SUBTREE,
 409                         expression="member:1.2.840.113556.1.4.1941:=<GUID=%s>" % guid)
 410         self.assertTrue(len(res1) == 4)
 411
 412     def test_object_dn_binary(self):
 413         res1 = self.ldb.search(self.ou_computers,
 414                         scope=SCOPE_SUBTREE,
 415                         expression="msDS-RevealedUsers=B:8:01010101:cn=c3,%s" % self.ou_computers)
 416         self.assertTrue(len(res1) == 1)
 417
 418         res1 = self.ldb.search(self.ou_computers,
 419                         scope=SCOPE_SUBTREE,
 420                         expression="msDS-RevealedUsers:1.2.840.113556.1.4.1941:=B:8:01010101:cn=c3,%s" % self.ou_computers)
 421         self.assertTrue(len(res1) == 2)
 422
 423     def test_one_way_links(self):
 424         res1 = self.ldb.search(self.ou,
 425                         scope=SCOPE_SUBTREE,
 426                         expression="addressBookRoots2=cn=c1,%s" % self.ou_computers)
 427         self.assertTrue(len(res1) == 1)
 428
 429         res1 = self.ldb.search(self.ou,
 430                         scope=SCOPE_SUBTREE,
 431                         expression="addressBookRoots2:1.2.840.113556.1.4.1941:=cn=c1,%s" % self.ou_computers)
 432         self.assertTrue(len(res1) == 2)
 433
 434     def test_not_linked_attrs(self):
 435         res1 = self.ldb.search(self.base_dn,
 436                         scope=SCOPE_BASE,
 437                         expression="wellKnownObjects=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,%s" % self.base_dn)
 438         self.assertTrue(len(res1) == 1)
 439
 440         res1 = self.ldb.search(self.base_dn,
 441                         scope=SCOPE_BASE,
 442                         expression="wellKnownObjects:1.2.840.113556.1.4.1941:=B:32:aa312825768811d1aded00c04fd8d5cd:CN=computers,%s" % self.base_dn)
 443         self.assertTrue(len(res1) == 0)
 444
 445
 446         res1 = self.ldb.search(self.ou,
 447                         scope=SCOPE_SUBTREE,
 448                         expression="otherWellKnownObjects=B:32:00000000000000000000000000000004:OU=o4,OU=o3,OU=o2,OU=o1,%s" % self.ou)
 449         self.assertTrue(len(res1) == 1)
 450
 451         res1 = self.ldb.search(self.ou,
 452                         scope=SCOPE_SUBTREE,
 453                         expression="otherWellKnownObjects:1.2.840.113556.1.4.1941:=B:32:00000000000000000000000000000004:OU=o4,OU=o3,OU=o2,OU=o1,%s" % self.ou)
 454         self.assertTrue(len(res1) == 0)
 455
 456 parser = optparse.OptionParser("match_rules.py [options] <host>")
 457 sambaopts = options.SambaOptions(parser)
 458 parser.add_option_group(sambaopts)
 459 parser.add_option_group(options.VersionOptions(parser))
 460
 461 # use command line creds if available
 462 credopts = options.CredentialsOptions(parser)
 463 parser.add_option_group(credopts)
 464 opts, args = parser.parse_args()
 465 subunitopts = SubunitOptions(parser)
 466 parser.add_option_group(subunitopts)
 467
 468 if len(args) < 1:
 469     parser.print_usage()
 470     sys.exit(1)
 471
 472 host = args[0]
 473
 474 lp = sambaopts.get_loadparm()
 475 creds = credopts.get_credentials(lp)
 476
 477 if not "://" in host:
 478     if os.path.isfile(host):
 479         host = "tdb://%s" % host
 480     else:
 481         host = "ldap://%s" % host
 482
 483 TestProgram(module=__name__, opts=subunitopts)