1#!/usr/bin/python 2# -*- coding: utf-8 -*- 3 4import getopt 5import optparse 6import sys 7import os 8import base64 9import re 10import random 11 12sys.path.append("bin/python") 13sys.path.append("../lib/subunit/python") 14 15import samba.getopt as options 16 17# Some error messages that are being tested 18from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError 19from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM 20from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS 21 22# For running the test unit 23from samba.ndr import ndr_pack, ndr_unpack 24from samba.dcerpc import security 25 26from samba.auth import system_session 27from samba import Ldb, DS_DOMAIN_FUNCTION_2008 28from subunit import SubunitTestRunner 29import unittest 30 31parser = optparse.OptionParser("sec_descriptor [options] <host>") 32sambaopts = options.SambaOptions(parser) 33parser.add_option_group(sambaopts) 34parser.add_option_group(options.VersionOptions(parser)) 35 36# use command line creds if available 37credopts = options.CredentialsOptions(parser) 38parser.add_option_group(credopts) 39opts, args = parser.parse_args() 40 41if len(args) < 1: 42 parser.print_usage() 43 sys.exit(1) 44 45host = args[0] 46 47lp = sambaopts.get_loadparm() 48creds = credopts.get_credentials(lp) 49 50# 51# Tests start here 52# 53 54class DescriptorTests(unittest.TestCase): 55 56 def delete_force(self, ldb, dn): 57 try: 58 ldb.delete(dn) 59 except LdbError, (num, _): 60 self.assertEquals(num, ERR_NO_SUCH_OBJECT) 61 62 def find_basedn(self, ldb): 63 res = ldb.search(base="", expression="", scope=SCOPE_BASE, 64 attrs=["defaultNamingContext"]) 65 self.assertEquals(len(res), 1) 66 return res[0]["defaultNamingContext"][0] 67 68 def find_configurationdn(self, ldb): 69 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) 70 self.assertEquals(len(res), 1) 71 return res[0]["configurationNamingContext"][0] 72 73 def find_schemadn(self, ldb): 74 res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) 75 self.assertEquals(len(res), 1) 76 return res[0]["schemaNamingContext"][0] 77 78 def find_domain_sid(self, ldb): 79 res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) 80 return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) 81 82 def get_users_domain_dn(self, name): 83 return "CN=%s,CN=Users,%s" % (name, self.base_dn) 84 85 def modify_desc(self, object_dn, desc): 86 assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) 87 mod = """ 88dn: """ + object_dn + """ 89changetype: modify 90replace: nTSecurityDescriptor 91""" 92 if isinstance(desc, str): 93 mod += "nTSecurityDescriptor: %s" % desc 94 elif isinstance(desc, security.descriptor): 95 mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) 96 self.ldb_admin.modify_ldif(mod) 97 98 def create_domain_ou(self, _ldb, ou_dn, desc=None): 99 ldif = """ 100dn: """ + ou_dn + """ 101ou: """ + ou_dn.split(",")[0][3:] + """ 102objectClass: organizationalUnit 103url: www.example.com 104""" 105 if desc: 106 assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) 107 if isinstance(desc, str): 108 ldif += "nTSecurityDescriptor: %s" % desc 109 elif isinstance(desc, security.descriptor): 110 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) 111 _ldb.add_ldif(ldif) 112 113 def create_domain_user(self, _ldb, user_dn, desc=None): 114 ldif = """ 115dn: """ + user_dn + """ 116sAMAccountName: """ + user_dn.split(",")[0][3:] + """ 117objectClass: user 118userPassword: samba123@ 119url: www.example.com 120""" 121 if desc: 122 assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) 123 if isinstance(desc, str): 124 ldif += "nTSecurityDescriptor: %s" % desc 125 elif isinstance(desc, security.descriptor): 126 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) 127 _ldb.add_ldif(ldif) 128 129 def create_domain_group(self, _ldb, group_dn, desc=None): 130 ldif = """ 131dn: """ + group_dn + """ 132objectClass: group 133sAMAccountName: """ + group_dn.split(",")[0][3:] + """ 134groupType: 4 135url: www.example.com 136""" 137 if desc: 138 assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) 139 if isinstance(desc, str): 140 ldif += "nTSecurityDescriptor: %s" % desc 141 elif isinstance(desc, security.descriptor): 142 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) 143 _ldb.add_ldif(ldif) 144 145 def get_unique_schema_class_name(self): 146 while True: 147 class_name = "test-class%s" % random.randint(1,100000) 148 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 149 try: 150 self.ldb_admin.search(base=class_dn, attrs=["*"]) 151 except LdbError, (num, _): 152 self.assertEquals(num, ERR_NO_SUCH_OBJECT) 153 return class_name 154 155 def create_schema_class(self, _ldb, object_dn, desc=None): 156 ldif = """ 157dn: """ + object_dn + """ 158objectClass: classSchema 159objectCategory: CN=Class-Schema,""" + self.schema_dn + """ 160defaultObjectCategory: """ + object_dn + """ 161distinguishedName: """ + object_dn + """ 162governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 163instanceType: 4 164objectClassCategory: 1 165subClassOf: organizationalPerson 166systemFlags: 16 167rDNAttID: cn 168systemMustContain: cn 169systemOnly: FALSE 170""" 171 if desc: 172 assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) 173 if isinstance(desc, str): 174 ldif += "nTSecurityDescriptor: %s" % desc 175 elif isinstance(desc, security.descriptor): 176 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) 177 _ldb.add_ldif(ldif) 178 179 def create_configuration_container(self, _ldb, object_dn, desc=None): 180 ldif = """ 181dn: """ + object_dn + """ 182objectClass: container 183objectCategory: CN=Container,""" + self.schema_dn + """ 184showInAdvancedViewOnly: TRUE 185instanceType: 4 186""" 187 if desc: 188 assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) 189 if isinstance(desc, str): 190 ldif += "nTSecurityDescriptor: %s" % desc 191 elif isinstance(desc, security.descriptor): 192 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) 193 _ldb.add_ldif(ldif) 194 195 def create_configuration_specifier(self, _ldb, object_dn, desc=None): 196 ldif = """ 197dn: """ + object_dn + """ 198objectClass: displaySpecifier 199showInAdvancedViewOnly: TRUE 200""" 201 if desc: 202 assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) 203 if isinstance(desc, str): 204 ldif += "nTSecurityDescriptor: %s" % desc 205 elif isinstance(desc, security.descriptor): 206 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) 207 _ldb.add_ldif(ldif) 208 209 def read_desc(self, object_dn): 210 res = self.ldb_admin.search(base=object_dn, attrs=["nTSecurityDescriptor"]) 211 desc = res[0]["nTSecurityDescriptor"][0] 212 return ndr_unpack( security.descriptor, desc ) 213 214 def enable_account(self, user_dn): 215 """Enable an account. 216 :param user_dn: Dn of the account to enable. 217 """ 218 res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"]) 219 assert len(res) == 1 220 userAccountControl = res[0]["userAccountControl"][0] 221 userAccountControl = int(userAccountControl) 222 if (userAccountControl & 0x2): 223 userAccountControl = userAccountControl & ~0x2 # remove disabled bit 224 if (userAccountControl & 0x20): 225 userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit 226 mod = """ 227dn: """ + user_dn + """ 228changetype: modify 229replace: userAccountControl 230userAccountControl: %s""" % userAccountControl 231 if self.WIN2003: 232 mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod) 233 self.ldb_admin.modify_ldif(mod) 234 235 def get_ldb_connection(self, target_username, target_password): 236 username_save = creds.get_username(); password_save = creds.get_password() 237 creds.set_username(target_username) 238 creds.set_password(target_password) 239 ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) 240 creds.set_username(username_save); creds.set_password(password_save) 241 return ldb_target 242 243 def get_object_sid(self, object_dn): 244 res = self.ldb_admin.search(object_dn) 245 return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] ) 246 247 def dacl_add_ace(self, object_dn, ace): 248 desc = self.read_desc( object_dn ) 249 desc_sddl = desc.as_sddl( self.domain_sid ) 250 if ace in desc_sddl: 251 return 252 if desc_sddl.find("(") >= 0: 253 desc_sddl = desc_sddl[0:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] 254 else: 255 desc_sddl = desc_sddl + ace 256 self.modify_desc(object_dn, desc_sddl) 257 258 def get_desc_sddl(self, object_dn): 259 """ Return object nTSecutiryDescriptor in SDDL format 260 """ 261 desc = self.read_desc(object_dn) 262 return desc.as_sddl(self.domain_sid) 263 264 def setUp(self): 265 self.ldb_admin = ldb 266 self.base_dn = self.find_basedn(self.ldb_admin) 267 self.configuration_dn = self.find_configurationdn(self.ldb_admin) 268 self.schema_dn = self.find_schemadn(self.ldb_admin) 269 self.domain_sid = self.find_domain_sid(self.ldb_admin) 270 print "baseDN: %s" % self.base_dn 271 self.SAMBA = False; self.WIN2003 = False 272 res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"]) 273 if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]: 274 self.SAMBA = True 275 else: 276 self.WIN2003 = True 277 #print "self.SAMBA:", self.SAMBA 278 #print "self.WIN2003:", self.WIN2003 279 280 ################################################################################################ 281 282 ## Tests for DOMAIN 283 284 # Default descriptor tests ##################################################################### 285 286class OwnerGroupDescriptorTests(DescriptorTests): 287 288 def setUp(self): 289 DescriptorTests.setUp(self) 290 if self.SAMBA: 291 ### Create users 292 # User 1 293 user_dn = self.get_users_domain_dn("testuser1") 294 self.create_domain_user(self.ldb_admin, user_dn) 295 self.enable_account(user_dn) 296 ldif = """ 297dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ 298changetype: add 299member: """ + user_dn 300 self.ldb_admin.modify_ldif(ldif) 301 # User 2 302 user_dn = self.get_users_domain_dn("testuser2") 303 self.create_domain_user(self.ldb_admin, user_dn) 304 self.enable_account(user_dn) 305 ldif = """ 306dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ 307changetype: add 308member: """ + user_dn 309 self.ldb_admin.modify_ldif(ldif) 310 # User 3 311 user_dn = self.get_users_domain_dn("testuser3") 312 self.create_domain_user(self.ldb_admin, user_dn) 313 self.enable_account(user_dn) 314 ldif = """ 315dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ 316changetype: add 317member: """ + user_dn 318 self.ldb_admin.modify_ldif(ldif) 319 # User 4 320 user_dn = self.get_users_domain_dn("testuser4") 321 self.create_domain_user(self.ldb_admin, user_dn) 322 self.enable_account(user_dn) 323 # User 5 324 user_dn = self.get_users_domain_dn("testuser5") 325 self.create_domain_user(self.ldb_admin, user_dn) 326 self.enable_account(user_dn) 327 ldif = """ 328dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ 329changetype: add 330member: """ + user_dn + """ 331 332dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ 333changetype: add 334member: """ + user_dn 335 self.ldb_admin.modify_ldif(ldif) 336 # User 6 337 user_dn = self.get_users_domain_dn("testuser6") 338 self.create_domain_user(self.ldb_admin, user_dn) 339 self.enable_account(user_dn) 340 ldif = """ 341dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ 342changetype: add 343member: """ + user_dn + """ 344 345dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ 346changetype: add 347member: """ + user_dn + """ 348 349dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ 350changetype: add 351member: """ + user_dn 352 self.ldb_admin.modify_ldif(ldif) 353 # User 7 354 user_dn = self.get_users_domain_dn("testuser7") 355 self.create_domain_user(self.ldb_admin, user_dn) 356 self.enable_account(user_dn) 357 ldif = """ 358dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ 359changetype: add 360member: """ + user_dn + """ 361 362dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ 363changetype: add 364member: """ + user_dn 365 self.ldb_admin.modify_ldif(ldif) 366 # User 8 367 user_dn = self.get_users_domain_dn("testuser8") 368 self.create_domain_user(self.ldb_admin, user_dn) 369 self.enable_account(user_dn) 370 ldif = """ 371dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ 372changetype: add 373member: """ + user_dn + """ 374 375dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ 376changetype: add 377member: """ + user_dn 378 self.ldb_admin.modify_ldif(ldif) 379 self.results = { 380 # msDS-Behavior-Version < DS_DOMAIN_FUNCTION_2008 381 "ds_behavior_win2003" : { 382 "100" : "O:EAG:DU", 383 "101" : "O:DAG:DU", 384 "102" : "O:%sG:DU", 385 "103" : "O:%sG:DU", 386 "104" : "O:DAG:DU", 387 "105" : "O:DAG:DU", 388 "106" : "O:DAG:DU", 389 "107" : "O:EAG:DU", 390 "108" : "O:DAG:DA", 391 "109" : "O:DAG:DA", 392 "110" : "O:%sG:DA", 393 "111" : "O:%sG:DA", 394 "112" : "O:DAG:DA", 395 "113" : "O:DAG:DA", 396 "114" : "O:DAG:DA", 397 "115" : "O:DAG:DA", 398 "130" : "O:EAG:DU", 399 "131" : "O:DAG:DU", 400 "132" : "O:SAG:DU", 401 "133" : "O:%sG:DU", 402 "134" : "O:EAG:DU", 403 "135" : "O:SAG:DU", 404 "136" : "O:SAG:DU", 405 "137" : "O:SAG:DU", 406 "138" : "O:DAG:DA", 407 "139" : "O:DAG:DA", 408 "140" : "O:%sG:DA", 409 "141" : "O:%sG:DA", 410 "142" : "O:DAG:DA", 411 "143" : "O:DAG:DA", 412 "144" : "O:DAG:DA", 413 "145" : "O:DAG:DA", 414 "160" : "O:EAG:DU", 415 "161" : "O:DAG:DU", 416 "162" : "O:%sG:DU", 417 "163" : "O:%sG:DU", 418 "164" : "O:EAG:DU", 419 "165" : "O:EAG:DU", 420 "166" : "O:DAG:DU", 421 "167" : "O:EAG:DU", 422 "168" : "O:DAG:DA", 423 "169" : "O:DAG:DA", 424 "170" : "O:%sG:DA", 425 "171" : "O:%sG:DA", 426 "172" : "O:DAG:DA", 427 "173" : "O:DAG:DA", 428 "174" : "O:DAG:DA", 429 "175" : "O:DAG:DA", 430 }, 431 # msDS-Behavior-Version >= 3 432 "ds_behavior_win2008" : { 433 "100" : "O:EAG:EA", 434 "101" : "O:DAG:DA", 435 "102" : "O:%sG:DU", 436 "103" : "O:%sG:DU", 437 "104" : "O:DAG:DA", 438 "105" : "O:DAG:DA", 439 "106" : "O:DAG:DA", 440 "107" : "O:EAG:EA", 441 "108" : "O:DAG:DA", 442 "109" : "O:DAG:DA", 443 "110" : "O:%sG:DA", 444 "111" : "O:%sG:DA", 445 "112" : "O:DAG:DA", 446 "113" : "O:DAG:DA", 447 "114" : "O:DAG:DA", 448 "115" : "O:DAG:DA", 449 "130" : "", 450 "131" : "", 451 "132" : "", 452 "133" : "%s", 453 "134" : "", 454 "135" : "", 455 "136" : "", 456 "137" : "", 457 "138" : "", 458 "139" : "", 459 "140" : "%s", 460 "141" : "%s", 461 "142" : "", 462 "143" : "", 463 "144" : "", 464 "145" : "", 465 "160" : "O:EAG:EA", 466 "161" : "O:DAG:DA", 467 "162" : "O:%sG:DU", 468 "163" : "O:%sG:DU", 469 "164" : "O:EAG:EA", 470 "165" : "O:EAG:EA", 471 "166" : "O:DAG:DA", 472 "167" : "O:EAG:EA", 473 "168" : "O:DAG:DA", 474 "169" : "O:DAG:DA", 475 "170" : "O:%sG:DA", 476 "171" : "O:%sG:DA", 477 "172" : "O:DAG:DA", 478 "173" : "O:DAG:DA", 479 "174" : "O:DAG:DA", 480 "175" : "O:DAG:DA", 481 }, 482 } 483 # Discover 'msDS-Behavior-Version' 484 res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \ 485 attrs=['msDS-Behavior-Version']) 486 res = int(res[0]['msDS-Behavior-Version'][0]) 487 if res < DS_DOMAIN_FUNCTION_2008: 488 self.DS_BEHAVIOR = "ds_behavior_win2003" 489 else: 490 self.DS_BEHAVIOR = "ds_behavior_win2008" 491 492 def tearDown(self): 493 if self.SAMBA: 494 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1")) 495 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2")) 496 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3")) 497 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4")) 498 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5")) 499 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6")) 500 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7")) 501 self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8")) 502 # DOMAIN 503 self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1")) 504 self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn) 505 self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) 506 self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) 507 # SCHEMA 508 # CONFIGURATION 509 self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \ 510 + self.configuration_dn) 511 self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) 512 513 def check_user_belongs(self, user_dn, groups=[]): 514 """ Test wether user is member of the expected group(s) """ 515 if groups != []: 516 # User is member of at least one additional group 517 res = self.ldb_admin.search(user_dn, attrs=["memberOf"]) 518 res = [x.upper() for x in sorted(list(res[0]["memberOf"]))] 519 expected = [] 520 for x in groups: 521 expected.append(self.get_users_domain_dn(x)) 522 expected = [x.upper() for x in sorted(expected)] 523 self.assertEqual(expected, res) 524 else: 525 # User is not a member of any additional groups but default 526 res = self.ldb_admin.search(user_dn, attrs=["*"]) 527 res = [x.upper() for x in res[0].keys()] 528 self.assertFalse( "MEMBEROF" in res) 529 530 def test_100(self): 531 """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN 532 """ 533 user_name = "testuser1" 534 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) 535 # Open Ldb connection with the tested user 536 _ldb = self.get_ldb_connection("testuser1", "samba123@") 537 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 538 self.delete_force(self.ldb_admin, group_dn) 539 self.create_domain_group(_ldb, group_dn) 540 desc_sddl = self.get_desc_sddl(group_dn) 541 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 542 self.assertEqual(self.results[self.DS_BEHAVIOR]["100"], res) 543 544 def test_101(self): 545 """ Dmain admin group member creates object (default nTSecurityDescriptor) in DOMAIN 546 """ 547 user_name = "testuser2" 548 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) 549 # Open Ldb connection with the tested user 550 _ldb = self.get_ldb_connection(user_name, "samba123@") 551 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 552 self.delete_force(self.ldb_admin, group_dn) 553 self.create_domain_group(_ldb, group_dn) 554 desc_sddl = self.get_desc_sddl(group_dn) 555 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 556 self.assertEqual(self.results[self.DS_BEHAVIOR]["101"], res) 557 558 def test_102(self): 559 """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN 560 """ 561 user_name = "testuser3" 562 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) 563 # Open Ldb connection with the tested user 564 _ldb = self.get_ldb_connection(user_name, "samba123@") 565 object_dn = "OU=test_domain_ou1," + self.base_dn 566 self.delete_force(self.ldb_admin, object_dn) 567 self.create_domain_ou(self.ldb_admin, object_dn) 568 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 569 mod = "(A;;CC;;;%s)" % str(user_sid) 570 self.dacl_add_ace(object_dn, mod) 571 # Create additional object into the first one 572 object_dn = "CN=test_domain_user1," + object_dn 573 self.delete_force(self.ldb_admin, object_dn) 574 self.create_domain_user(_ldb, object_dn) 575 desc_sddl = self.get_desc_sddl(object_dn) 576 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 577 self.assertEqual(self.results[self.DS_BEHAVIOR]["102"] % str(user_sid), res) 578 579 def test_103(self): 580 """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN 581 """ 582 user_name = "testuser4" 583 self.check_user_belongs(self.get_users_domain_dn(user_name), []) 584 # Open Ldb connection with the tested user 585 _ldb = self.get_ldb_connection(user_name, "samba123@") 586 object_dn = "OU=test_domain_ou1," + self.base_dn 587 self.delete_force(self.ldb_admin, object_dn) 588 self.create_domain_ou(self.ldb_admin, object_dn) 589 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 590 mod = "(A;;CC;;;%s)" % str(user_sid) 591 self.dacl_add_ace(object_dn, mod) 592 # Create additional object into the first one 593 object_dn = "CN=test_domain_user1," + object_dn 594 self.delete_force(self.ldb_admin, object_dn) 595 self.create_domain_user(_ldb, object_dn) 596 desc_sddl = self.get_desc_sddl(object_dn) 597 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 598 self.assertEqual(self.results[self.DS_BEHAVIOR]["103"] % str(user_sid), res) 599 600 def test_104(self): 601 """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN 602 """ 603 user_name = "testuser5" 604 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) 605 # Open Ldb connection with the tested user 606 _ldb = self.get_ldb_connection(user_name, "samba123@") 607 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 608 self.delete_force(self.ldb_admin, group_dn) 609 self.create_domain_group(_ldb, group_dn) 610 desc_sddl = self.get_desc_sddl(group_dn) 611 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 612 self.assertEqual(self.results[self.DS_BEHAVIOR]["104"], res) 613 614 def test_105(self): 615 """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN 616 """ 617 user_name = "testuser6" 618 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) 619 # Open Ldb connection with the tested user 620 _ldb = self.get_ldb_connection(user_name, "samba123@") 621 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 622 self.delete_force(self.ldb_admin, group_dn) 623 self.create_domain_group(_ldb, group_dn) 624 desc_sddl = self.get_desc_sddl(group_dn) 625 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 626 self.assertEqual(self.results[self.DS_BEHAVIOR]["105"], res) 627 628 def test_106(self): 629 """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN 630 """ 631 user_name = "testuser7" 632 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) 633 # Open Ldb connection with the tested user 634 _ldb = self.get_ldb_connection(user_name, "samba123@") 635 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 636 self.delete_force(self.ldb_admin, group_dn) 637 self.create_domain_group(_ldb, group_dn) 638 desc_sddl = self.get_desc_sddl(group_dn) 639 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 640 self.assertEqual(self.results[self.DS_BEHAVIOR]["106"], res) 641 642 def test_107(self): 643 """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN 644 """ 645 user_name = "testuser8" 646 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) 647 # Open Ldb connection with the tested user 648 _ldb = self.get_ldb_connection(user_name, "samba123@") 649 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 650 self.delete_force(self.ldb_admin, group_dn) 651 self.create_domain_group(_ldb, group_dn) 652 desc_sddl = self.get_desc_sddl(group_dn) 653 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 654 self.assertEqual(self.results[self.DS_BEHAVIOR]["107"], res) 655 656 # Control descriptor tests ##################################################################### 657 658 def test_108(self): 659 """ Enterprise admin group member creates object (custom descriptor) in DOMAIN 660 """ 661 user_name = "testuser1" 662 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) 663 # Open Ldb connection with the tested user 664 _ldb = self.get_ldb_connection(user_name, "samba123@") 665 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 666 self.delete_force(self.ldb_admin, group_dn) 667 # Create a custom security descriptor 668 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 669 self.create_domain_group(_ldb, group_dn, desc_sddl) 670 desc_sddl = self.get_desc_sddl(group_dn) 671 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 672 self.assertEqual(self.results[self.DS_BEHAVIOR]["108"], res) 673 674 def test_109(self): 675 """ Domain admin group member creates object (custom descriptor) in DOMAIN 676 """ 677 user_name = "testuser2" 678 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) 679 # Open Ldb connection with the tested user 680 _ldb = self.get_ldb_connection(user_name, "samba123@") 681 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 682 self.delete_force(self.ldb_admin, group_dn) 683 # Create a custom security descriptor 684 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 685 self.create_domain_group(_ldb, group_dn, desc_sddl) 686 desc_sddl = self.get_desc_sddl(group_dn) 687 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 688 self.assertEqual(self.results[self.DS_BEHAVIOR]["109"], res) 689 690 def test_110(self): 691 """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN 692 """ 693 user_name = "testuser3" 694 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) 695 # Open Ldb connection with the tested user 696 _ldb = self.get_ldb_connection(user_name, "samba123@") 697 object_dn = "OU=test_domain_ou1," + self.base_dn 698 self.delete_force(self.ldb_admin, object_dn) 699 self.create_domain_ou(self.ldb_admin, object_dn) 700 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 701 mod = "(A;;CC;;;%s)" % str(user_sid) 702 self.dacl_add_ace(object_dn, mod) 703 # Create a custom security descriptor 704 # NB! Problematic owner part won't accept DA only <User Sid> !!! 705 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) 706 # Create additional object into the first one 707 object_dn = "CN=test_domain_user1," + object_dn 708 self.delete_force(self.ldb_admin, object_dn) 709 self.create_domain_user(_ldb, object_dn, desc_sddl) 710 desc = self.read_desc(object_dn) 711 desc_sddl = self.get_desc_sddl(object_dn) 712 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 713 self.assertEqual(self.results[self.DS_BEHAVIOR]["110"] % str(user_sid), res) 714 715 def test_111(self): 716 """ Regular user with CC right creates object (custom descriptor) in DOMAIN 717 """ 718 user_name = "testuser4" 719 self.check_user_belongs(self.get_users_domain_dn(user_name), []) 720 # Open Ldb connection with the tested user 721 _ldb = self.get_ldb_connection(user_name, "samba123@") 722 object_dn = "OU=test_domain_ou1," + self.base_dn 723 self.delete_force(self.ldb_admin, object_dn) 724 self.create_domain_ou(self.ldb_admin, object_dn) 725 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 726 mod = "(A;;CC;;;%s)" % str(user_sid) 727 self.dacl_add_ace(object_dn, mod) 728 # Create a custom security descriptor 729 # NB! Problematic owner part won't accept DA only <User Sid> !!! 730 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) 731 # Create additional object into the first one 732 object_dn = "CN=test_domain_user1," + object_dn 733 self.delete_force(self.ldb_admin, object_dn) 734 self.create_domain_user(_ldb, object_dn, desc_sddl) 735 desc = self.read_desc(object_dn) 736 desc_sddl = self.get_desc_sddl(object_dn) 737 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 738 self.assertEqual(self.results[self.DS_BEHAVIOR]["111"] % str(user_sid), res) 739 740 def test_112(self): 741 """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN 742 """ 743 user_name = "testuser5" 744 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) 745 # Open Ldb connection with the tested user 746 _ldb = self.get_ldb_connection(user_name, "samba123@") 747 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 748 self.delete_force(self.ldb_admin, group_dn) 749 # Create a custom security descriptor 750 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 751 self.create_domain_group(_ldb, group_dn, desc_sddl) 752 desc_sddl = self.get_desc_sddl(group_dn) 753 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 754 self.assertEqual(self.results[self.DS_BEHAVIOR]["112"], res) 755 756 def test_113(self): 757 """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN 758 """ 759 user_name = "testuser6" 760 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) 761 # Open Ldb connection with the tested user 762 _ldb = self.get_ldb_connection(user_name, "samba123@") 763 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 764 self.delete_force(self.ldb_admin, group_dn) 765 # Create a custom security descriptor 766 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 767 self.create_domain_group(_ldb, group_dn, desc_sddl) 768 desc_sddl = self.get_desc_sddl(group_dn) 769 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 770 self.assertEqual(self.results[self.DS_BEHAVIOR]["113"], res) 771 772 def test_114(self): 773 """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN 774 """ 775 user_name = "testuser7" 776 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) 777 # Open Ldb connection with the tested user 778 _ldb = self.get_ldb_connection(user_name, "samba123@") 779 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 780 self.delete_force(self.ldb_admin, group_dn) 781 # Create a custom security descriptor 782 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 783 self.create_domain_group(_ldb, group_dn, desc_sddl) 784 desc_sddl = self.get_desc_sddl(group_dn) 785 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 786 self.assertEqual(self.results[self.DS_BEHAVIOR]["114"], res) 787 788 def test_115(self): 789 """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN 790 """ 791 user_name = "testuser8" 792 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) 793 # Open Ldb connection with the tested user 794 _ldb = self.get_ldb_connection(user_name, "samba123@") 795 group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn 796 self.delete_force(self.ldb_admin, group_dn) 797 # Create a custom security descriptor 798 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 799 self.create_domain_group(_ldb, group_dn, desc_sddl) 800 desc_sddl = self.get_desc_sddl(group_dn) 801 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 802 self.assertEqual(self.results[self.DS_BEHAVIOR]["115"], res) 803 804 805 def test_999(self): 806 user_name = "Administrator" 807 object_dn = "OU=test_domain_ou1," + self.base_dn 808 self.delete_force(self.ldb_admin, object_dn) 809 self.create_domain_ou(self.ldb_admin, object_dn) 810 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 811 mod = "(D;CI;WP;;;S-1-3-0)" 812 #mod = "" 813 self.dacl_add_ace(object_dn, mod) 814 desc_sddl = self.get_desc_sddl(object_dn) 815 # Create additional object into the first one 816 object_dn = "OU=test_domain_ou2," + object_dn 817 self.delete_force(self.ldb_admin, object_dn) 818 self.create_domain_ou(self.ldb_admin, object_dn) 819 desc_sddl = self.get_desc_sddl(object_dn) 820 821 ## Tests for SCHEMA 822 823 # Defalt descriptor tests ################################################################## 824 825 def test_130(self): 826 user_name = "testuser1" 827 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) 828 # Open Ldb connection with the tested user 829 _ldb = self.get_ldb_connection(user_name, "samba123@") 830 # Change Schema partition descriptor 831 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 832 mod = "(A;;CC;;;AU)" 833 self.dacl_add_ace(self.schema_dn, mod) 834 # Create example Schema class 835 class_name = self.get_unique_schema_class_name() 836 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 837 self.create_schema_class(_ldb, class_dn) 838 desc_sddl = self.get_desc_sddl(class_dn) 839 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 840 self.assertEqual(self.results[self.DS_BEHAVIOR]["130"], res) 841 842 def test_131(self): 843 user_name = "testuser2" 844 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) 845 # Open Ldb connection with the tested user 846 _ldb = self.get_ldb_connection(user_name, "samba123@") 847 # Change Schema partition descriptor 848 mod = "(A;;CC;;;AU)" 849 self.dacl_add_ace(self.schema_dn, mod) 850 # Create example Schema class 851 class_name = self.get_unique_schema_class_name() 852 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 853 self.create_schema_class(_ldb, class_dn) 854 desc_sddl = self.get_desc_sddl(class_dn) 855 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 856 self.assertEqual(self.results[self.DS_BEHAVIOR]["131"], res) 857 858 def test_132(self): 859 user_name = "testuser3" 860 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) 861 # Open Ldb connection with the tested user 862 _ldb = self.get_ldb_connection(user_name, "samba123@") 863 # Change Schema partition descriptor 864 mod = "(A;;CC;;;AU)" 865 self.dacl_add_ace(self.schema_dn, mod) 866 # Create example Schema class 867 class_name = self.get_unique_schema_class_name() 868 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 869 self.create_schema_class(_ldb, class_dn) 870 desc_sddl = self.get_desc_sddl(class_dn) 871 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 872 self.assertEqual(self.results[self.DS_BEHAVIOR]["132"], res) 873 874 def test_133(self): 875 user_name = "testuser4" 876 self.check_user_belongs(self.get_users_domain_dn(user_name), []) 877 # Open Ldb connection with the tested user 878 _ldb = self.get_ldb_connection(user_name, "samba123@") 879 #Change Schema partition descriptor 880 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 881 mod = "(A;;CC;;;AU)" 882 self.dacl_add_ace(self.schema_dn, mod) 883 # Create example Schema class 884 class_name = self.get_unique_schema_class_name() 885 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 886 self.create_schema_class(_ldb, class_dn) 887 desc_sddl = self.get_desc_sddl(class_dn) 888 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 889 self.assertEqual(self.results[self.DS_BEHAVIOR]["133"] % str(user_sid), res) 890 891 def test_134(self): 892 user_name = "testuser5" 893 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) 894 # Open Ldb connection with the tested user 895 _ldb = self.get_ldb_connection(user_name, "samba123@") 896 #Change Schema partition descriptor 897 mod = "(A;;CC;;;AU)" 898 self.dacl_add_ace(self.schema_dn, mod) 899 # Create example Schema class 900 class_name = self.get_unique_schema_class_name() 901 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 902 self.create_schema_class(_ldb, class_dn) 903 desc_sddl = self.get_desc_sddl(class_dn) 904 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 905 self.assertEqual(self.results[self.DS_BEHAVIOR]["134"], res) 906 907 def test_135(self): 908 user_name = "testuser6" 909 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) 910 # Open Ldb connection with the tested user 911 _ldb = self.get_ldb_connection(user_name, "samba123@") 912 # Change Schema partition descriptor 913 mod = "(A;;CC;;;AU)" 914 self.dacl_add_ace(self.schema_dn, mod) 915 # Create example Schema class 916 class_name = self.get_unique_schema_class_name() 917 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 918 self.create_schema_class(_ldb, class_dn) 919 desc_sddl = self.get_desc_sddl(class_dn) 920 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 921 self.assertEqual(self.results[self.DS_BEHAVIOR]["135"], res) 922 923 def test_136(self): 924 user_name = "testuser7" 925 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) 926 # Open Ldb connection with the tested user 927 _ldb = self.get_ldb_connection(user_name, "samba123@") 928 # Change Schema partition descriptor 929 mod = "(A;;CC;;;AU)" 930 self.dacl_add_ace(self.schema_dn, mod) 931 # Create example Schema class 932 class_name = self.get_unique_schema_class_name() 933 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 934 self.create_schema_class(_ldb, class_dn) 935 desc_sddl = self.get_desc_sddl(class_dn) 936 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 937 self.assertEqual(self.results[self.DS_BEHAVIOR]["136"], res) 938 939 def test_137(self): 940 user_name = "testuser8" 941 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) 942 # Open Ldb connection with the tested user 943 _ldb = self.get_ldb_connection(user_name, "samba123@") 944 # Change Schema partition descriptor 945 mod = "(A;;CC;;;AU)" 946 self.dacl_add_ace(self.schema_dn, mod) 947 # Create example Schema class 948 class_name = self.get_unique_schema_class_name() 949 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 950 self.create_schema_class(_ldb, class_dn) 951 desc_sddl = self.get_desc_sddl(class_dn) 952 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 953 self.assertEqual(self.results[self.DS_BEHAVIOR]["137"], res) 954 955 # Custom descriptor tests ################################################################## 956 957 def test_138(self): 958 user_name = "testuser1" 959 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) 960 # Open Ldb connection with the tested user 961 _ldb = self.get_ldb_connection(user_name, "samba123@") 962 # Change Schema partition descriptor 963 mod = "(A;;CC;;;AU)" 964 self.dacl_add_ace(self.schema_dn, mod) 965 # Create a custom security descriptor 966 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 967 # Create example Schema class 968 class_name = self.get_unique_schema_class_name() 969 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 970 self.create_schema_class(_ldb, class_dn, desc_sddl) 971 desc_sddl = self.get_desc_sddl(class_dn) 972 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 973 self.assertEqual("O:DAG:DA", res) 974 975 def test_139(self): 976 user_name = "testuser2" 977 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) 978 # Open Ldb connection with the tested user 979 _ldb = self.get_ldb_connection(user_name, "samba123@") 980 # Change Schema partition descriptor 981 mod = "(A;;CC;;;AU)" 982 self.dacl_add_ace(self.schema_dn, mod) 983 # Create a custom security descriptor 984 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 985 # Create example Schema class 986 class_name = self.get_unique_schema_class_name() 987 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 988 self.create_schema_class(_ldb, class_dn, desc_sddl) 989 desc_sddl = self.get_desc_sddl(class_dn) 990 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 991 self.assertEqual("O:DAG:DA", res) 992 993 def test_140(self): 994 user_name = "testuser3" 995 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) 996 # Open Ldb connection with the tested user 997 _ldb = self.get_ldb_connection(user_name, "samba123@") 998 # Create a custom security descriptor 999 # NB! Problematic owner part won't accept DA only <User Sid> !!! 1000 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 1001 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) 1002 # Create example Schema class 1003 class_name = self.get_unique_schema_class_name() 1004 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 1005 self.create_schema_class(_ldb, class_dn, desc_sddl) 1006 desc_sddl = self.get_desc_sddl(class_dn) 1007 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1008 self.assertEqual(self.results[self.DS_BEHAVIOR]["140"] % str(user_sid), res) 1009 1010 def test_141(self): 1011 user_name = "testuser4" 1012 self.check_user_belongs(self.get_users_domain_dn(user_name), []) 1013 # Open Ldb connection with the tested user 1014 _ldb = self.get_ldb_connection(user_name, "samba123@") 1015 # Create a custom security descriptor 1016 # NB! Problematic owner part won't accept DA only <User Sid> !!! 1017 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 1018 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) 1019 # Create example Schema class 1020 class_name = self.get_unique_schema_class_name() 1021 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 1022 self.create_schema_class(_ldb, class_dn, desc_sddl) 1023 desc_sddl = self.get_desc_sddl(class_dn) 1024 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1025 self.assertEqual(self.results[self.DS_BEHAVIOR]["141"] % str(user_sid), res) 1026 1027 def test_142(self): 1028 user_name = "testuser5" 1029 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) 1030 # Open Ldb connection with the tested user 1031 _ldb = self.get_ldb_connection(user_name, "samba123@") 1032 # Change Schema partition descriptor 1033 mod = "(A;;CC;;;AU)" 1034 self.dacl_add_ace(self.schema_dn, mod) 1035 # Create a custom security descriptor 1036 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1037 # Create example Schema class 1038 class_name = self.get_unique_schema_class_name() 1039 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 1040 self.create_schema_class(_ldb, class_dn, desc_sddl) 1041 desc_sddl = self.get_desc_sddl(class_dn) 1042 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1043 self.assertEqual("O:DAG:DA", res) 1044 1045 def test_143(self): 1046 user_name = "testuser6" 1047 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) 1048 # Open Ldb connection with the tested user 1049 _ldb = self.get_ldb_connection(user_name, "samba123@") 1050 # Change Schema partition descriptor 1051 mod = "(A;;CC;;;AU)" 1052 self.dacl_add_ace(self.schema_dn, mod) 1053 # Create a custom security descriptor 1054 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1055 # Create example Schema class 1056 class_name = self.get_unique_schema_class_name() 1057 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 1058 self.create_schema_class(_ldb, class_dn, desc_sddl) 1059 desc_sddl = self.get_desc_sddl(class_dn) 1060 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1061 self.assertEqual("O:DAG:DA", res) 1062 1063 def test_144(self): 1064 user_name = "testuser7" 1065 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) 1066 # Open Ldb connection with the tested user 1067 _ldb = self.get_ldb_connection(user_name, "samba123@") 1068 # Change Schema partition descriptor 1069 mod = "(A;;CC;;;AU)" 1070 self.dacl_add_ace(self.schema_dn, mod) 1071 # Create a custom security descriptor 1072 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1073 # Create example Schema class 1074 class_name = self.get_unique_schema_class_name() 1075 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 1076 self.create_schema_class(_ldb, class_dn, desc_sddl) 1077 desc_sddl = self.get_desc_sddl(class_dn) 1078 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1079 self.assertEqual("O:DAG:DA", res) 1080 1081 def test_145(self): 1082 user_name = "testuser8" 1083 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) 1084 # Open Ldb connection with the tested user 1085 _ldb = self.get_ldb_connection(user_name, "samba123@") 1086 # Change Schema partition descriptor 1087 mod = "(A;;CC;;;AU)" 1088 self.dacl_add_ace(self.schema_dn, mod) 1089 # Create a custom security descriptor 1090 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1091 # Create example Schema class 1092 class_name = self.get_unique_schema_class_name() 1093 class_dn = "CN=%s,%s" % (class_name, self.schema_dn) 1094 self.create_schema_class(_ldb, class_dn, desc_sddl) 1095 desc_sddl = self.get_desc_sddl(class_dn) 1096 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1097 self.assertEqual("O:DAG:DA", res) 1098 1099 ## Tests for CONFIGURATION 1100 1101 # Defalt descriptor tests ################################################################## 1102 1103 def test_160(self): 1104 user_name = "testuser1" 1105 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) 1106 # Open Ldb connection with the tested user 1107 _ldb = self.get_ldb_connection(user_name, "samba123@") 1108 # Create example Configuration container 1109 container_name = "test-container1" 1110 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1111 self.delete_force(self.ldb_admin, object_dn) 1112 self.create_configuration_container(_ldb, object_dn, ) 1113 desc_sddl = self.get_desc_sddl(object_dn) 1114 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1115 self.assertEqual(self.results[self.DS_BEHAVIOR]["160"], res) 1116 1117 def test_161(self): 1118 user_name = "testuser2" 1119 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) 1120 # Open Ldb connection with the tested user 1121 _ldb = self.get_ldb_connection(user_name, "samba123@") 1122 # Create example Configuration container 1123 container_name = "test-container1" 1124 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1125 self.delete_force(self.ldb_admin, object_dn) 1126 self.create_configuration_container(_ldb, object_dn, ) 1127 desc_sddl = self.get_desc_sddl(object_dn) 1128 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1129 self.assertEqual(self.results[self.DS_BEHAVIOR]["161"], res) 1130 1131 def test_162(self): 1132 user_name = "testuser3" 1133 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) 1134 # Open Ldb connection with the tested user 1135 _ldb = self.get_ldb_connection(user_name, "samba123@") 1136 # Create example Configuration container 1137 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn 1138 self.delete_force(self.ldb_admin, object_dn) 1139 self.create_configuration_container(self.ldb_admin, object_dn, ) 1140 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 1141 mod = "(A;;CC;;;AU)" 1142 self.dacl_add_ace(object_dn, mod) 1143 # Create child object with user's credentials 1144 object_dn = "CN=test-specifier1," + object_dn 1145 self.delete_force(self.ldb_admin, object_dn) 1146 self.create_configuration_specifier(_ldb, object_dn) 1147 desc_sddl = self.get_desc_sddl(object_dn) 1148 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1149 self.assertEqual(self.results[self.DS_BEHAVIOR]["162"] % str(user_sid), res) 1150 1151 def test_163(self): 1152 user_name = "testuser4" 1153 self.check_user_belongs(self.get_users_domain_dn(user_name), []) 1154 # Open Ldb connection with the tested user 1155 _ldb = self.get_ldb_connection(user_name, "samba123@") 1156 # Create example Configuration container 1157 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn 1158 self.delete_force(self.ldb_admin, object_dn) 1159 self.create_configuration_container(self.ldb_admin, object_dn, ) 1160 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 1161 mod = "(A;;CC;;;AU)" 1162 self.dacl_add_ace(object_dn, mod) 1163 # Create child object with user's credentials 1164 object_dn = "CN=test-specifier1," + object_dn 1165 self.delete_force(self.ldb_admin, object_dn) 1166 self.create_configuration_specifier(_ldb, object_dn) 1167 desc_sddl = self.get_desc_sddl(object_dn) 1168 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1169 self.assertEqual(self.results[self.DS_BEHAVIOR]["163"] % str(user_sid), res) 1170 1171 def test_164(self): 1172 user_name = "testuser5" 1173 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) 1174 # Open Ldb connection with the tested user 1175 _ldb = self.get_ldb_connection(user_name, "samba123@") 1176 # Create example Configuration container 1177 container_name = "test-container1" 1178 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1179 self.delete_force(self.ldb_admin, object_dn) 1180 self.create_configuration_container(_ldb, object_dn, ) 1181 desc_sddl = self.get_desc_sddl(object_dn) 1182 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1183 self.assertEqual(self.results[self.DS_BEHAVIOR]["164"], res) 1184 1185 def test_165(self): 1186 user_name = "testuser6" 1187 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) 1188 # Open Ldb connection with the tested user 1189 _ldb = self.get_ldb_connection(user_name, "samba123@") 1190 # Create example Configuration container 1191 container_name = "test-container1" 1192 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1193 self.delete_force(self.ldb_admin, object_dn) 1194 self.create_configuration_container(_ldb, object_dn, ) 1195 desc_sddl = self.get_desc_sddl(object_dn) 1196 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1197 self.assertEqual(self.results[self.DS_BEHAVIOR]["165"], res) 1198 1199 def test_166(self): 1200 user_name = "testuser7" 1201 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) 1202 # Open Ldb connection with the tested user 1203 _ldb = self.get_ldb_connection(user_name, "samba123@") 1204 # Create example Configuration container 1205 container_name = "test-container1" 1206 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1207 self.delete_force(self.ldb_admin, object_dn) 1208 self.create_configuration_container(_ldb, object_dn, ) 1209 desc_sddl = self.get_desc_sddl(object_dn) 1210 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1211 self.assertEqual(self.results[self.DS_BEHAVIOR]["166"], res) 1212 1213 def test_167(self): 1214 user_name = "testuser8" 1215 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) 1216 # Open Ldb connection with the tested user 1217 _ldb = self.get_ldb_connection(user_name, "samba123@") 1218 # Create example Configuration container 1219 container_name = "test-container1" 1220 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1221 self.delete_force(self.ldb_admin, object_dn) 1222 self.create_configuration_container(_ldb, object_dn, ) 1223 desc_sddl = self.get_desc_sddl(object_dn) 1224 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1225 self.assertEqual(self.results[self.DS_BEHAVIOR]["167"], res) 1226 1227 # Custom descriptor tests ################################################################## 1228 1229 def test_168(self): 1230 user_name = "testuser1" 1231 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) 1232 # Open Ldb connection with the tested user 1233 _ldb = self.get_ldb_connection(user_name, "samba123@") 1234 # Create example Configuration container 1235 container_name = "test-container1" 1236 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1237 self.delete_force(self.ldb_admin, object_dn) 1238 # Create a custom security descriptor 1239 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1240 self.create_configuration_container(_ldb, object_dn, desc_sddl) 1241 desc_sddl = self.get_desc_sddl(object_dn) 1242 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1243 self.assertEqual("O:DAG:DA", res) 1244 1245 def test_169(self): 1246 user_name = "testuser2" 1247 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) 1248 # Open Ldb connection with the tested user 1249 _ldb = self.get_ldb_connection(user_name, "samba123@") 1250 # Create example Configuration container 1251 container_name = "test-container1" 1252 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1253 self.delete_force(self.ldb_admin, object_dn) 1254 # Create a custom security descriptor 1255 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1256 self.create_configuration_container(_ldb, object_dn, desc_sddl) 1257 desc_sddl = self.get_desc_sddl(object_dn) 1258 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1259 self.assertEqual("O:DAG:DA", res) 1260 1261 def test_170(self): 1262 user_name = "testuser3" 1263 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) 1264 # Open Ldb connection with the tested user 1265 _ldb = self.get_ldb_connection(user_name, "samba123@") 1266 # Create example Configuration container 1267 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn 1268 self.delete_force(self.ldb_admin, object_dn) 1269 self.create_configuration_container(self.ldb_admin, object_dn, ) 1270 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 1271 mod = "(A;;CC;;;AU)" 1272 self.dacl_add_ace(object_dn, mod) 1273 # Create child object with user's credentials 1274 object_dn = "CN=test-specifier1," + object_dn 1275 self.delete_force(self.ldb_admin, object_dn) 1276 # Create a custom security descriptor 1277 # NB! Problematic owner part won't accept DA only <User Sid> !!! 1278 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) 1279 self.create_configuration_specifier(_ldb, object_dn, desc_sddl) 1280 desc_sddl = self.get_desc_sddl(object_dn) 1281 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1282 self.assertEqual(self.results[self.DS_BEHAVIOR]["170"] % str(user_sid), res) 1283 1284 def test_171(self): 1285 user_name = "testuser4" 1286 self.check_user_belongs(self.get_users_domain_dn(user_name), []) 1287 # Open Ldb connection with the tested user 1288 _ldb = self.get_ldb_connection(user_name, "samba123@") 1289 # Create example Configuration container 1290 object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn 1291 self.delete_force(self.ldb_admin, object_dn) 1292 self.create_configuration_container(self.ldb_admin, object_dn, ) 1293 user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) 1294 mod = "(A;;CC;;;AU)" 1295 self.dacl_add_ace(object_dn, mod) 1296 # Create child object with user's credentials 1297 object_dn = "CN=test-specifier1," + object_dn 1298 self.delete_force(self.ldb_admin, object_dn) 1299 # Create a custom security descriptor 1300 # NB! Problematic owner part won't accept DA only <User Sid> !!! 1301 desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) 1302 self.create_configuration_specifier(_ldb, object_dn, desc_sddl) 1303 desc_sddl = self.get_desc_sddl(object_dn) 1304 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1305 self.assertEqual(self.results[self.DS_BEHAVIOR]["171"] % str(user_sid), res) 1306 1307 def test_172(self): 1308 user_name = "testuser5" 1309 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) 1310 # Open Ldb connection with the tested user 1311 _ldb = self.get_ldb_connection(user_name, "samba123@") 1312 # Create example Configuration container 1313 container_name = "test-container1" 1314 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1315 self.delete_force(self.ldb_admin, object_dn) 1316 # Create a custom security descriptor 1317 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1318 self.create_configuration_container(_ldb, object_dn, desc_sddl) 1319 desc_sddl = self.get_desc_sddl(object_dn) 1320 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1321 self.assertEqual("O:DAG:DA", res) 1322 1323 def test_173(self): 1324 user_name = "testuser6" 1325 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) 1326 # Open Ldb connection with the tested user 1327 _ldb = self.get_ldb_connection(user_name, "samba123@") 1328 # Create example Configuration container 1329 container_name = "test-container1" 1330 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1331 self.delete_force(self.ldb_admin, object_dn) 1332 # Create a custom security descriptor 1333 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1334 self.create_configuration_container(_ldb, object_dn, desc_sddl) 1335 desc_sddl = self.get_desc_sddl(object_dn) 1336 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1337 self.assertEqual("O:DAG:DA", res) 1338 1339 def test_174(self): 1340 user_name = "testuser7" 1341 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) 1342 # Open Ldb connection with the tested user 1343 _ldb = self.get_ldb_connection(user_name, "samba123@") 1344 # Create example Configuration container 1345 container_name = "test-container1" 1346 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1347 self.delete_force(self.ldb_admin, object_dn) 1348 # Create a custom security descriptor 1349 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1350 self.create_configuration_container(_ldb, object_dn, desc_sddl) 1351 desc_sddl = self.get_desc_sddl(object_dn) 1352 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1353 self.assertEqual("O:DAG:DA", res) 1354 1355 def test_175(self): 1356 user_name = "testuser8" 1357 self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) 1358 # Open Ldb connection with the tested user 1359 _ldb = self.get_ldb_connection(user_name, "samba123@") 1360 # Create example Configuration container 1361 container_name = "test-container1" 1362 object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) 1363 self.delete_force(self.ldb_admin, object_dn) 1364 # Create a custom security descriptor 1365 desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" 1366 self.create_configuration_container(_ldb, object_dn, desc_sddl) 1367 desc_sddl = self.get_desc_sddl(object_dn) 1368 res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) 1369 self.assertEqual("O:DAG:DA", res) 1370 1371 ######################################################################################## 1372 # Inharitance tests for DACL 1373 1374class DaclDescriptorTests(DescriptorTests): 1375 1376 def setUp(self): 1377 DescriptorTests.setUp(self) 1378 1379 def tearDown(self): 1380 self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn) 1381 self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn) 1382 1383 def create_clean_ou(self, object_dn): 1384 """ Base repeating setup for unittests to follow """ 1385 res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \ 1386 expression="distinguishedName=%s" % object_dn) 1387 # Make sure top testing OU has been deleted before starting the test 1388 self.assertEqual(res, []) 1389 self.create_domain_ou(self.ldb_admin, object_dn) 1390 desc_sddl = self.get_desc_sddl(object_dn) 1391 # Make sutre there are inheritable ACEs initially 1392 self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl) 1393 # Find and remove all inherit ACEs 1394 res = re.findall("\(.*?\)", desc_sddl) 1395 res = [x for x in res if ("CI" in x) or ("OI" in x)] 1396 for x in res: 1397 desc_sddl = desc_sddl.replace(x, "") 1398 # Add flag 'protected' in both DACL and SACL so no inherit ACEs 1399 # can propagate from above 1400 desc_sddl = desc_sddl.replace(":AI", ":AIP") 1401 # colon at the end breaks ldif parsing, fix it 1402 res = re.findall(".*?S:", desc_sddl) 1403 if res: 1404 desc_sddl = desc_sddl.replace("S:", "") 1405 self.modify_desc(object_dn, desc_sddl) 1406 # Verify all inheritable ACEs are gone 1407 desc_sddl = self.get_desc_sddl(object_dn) 1408 self.assertFalse("CI" in desc_sddl) 1409 self.assertFalse("OI" in desc_sddl) 1410 1411 def test_200(self): 1412 """ OU with protected flag and child group. See if the group has inherit ACEs. 1413 """ 1414 ou_dn = "OU=test_inherit_ou," + self.base_dn 1415 group_dn = "CN=test_inherit_group," + ou_dn 1416 # Create inheritable-free OU 1417 self.create_clean_ou(ou_dn) 1418 # Create group child object 1419 self.create_domain_group(self.ldb_admin, group_dn) 1420 # Make sure created group object contains NO inherit ACEs 1421 desc_sddl = self.get_desc_sddl(group_dn) 1422 self.assertFalse("ID" in desc_sddl) 1423 1424 def test_201(self): 1425 """ OU with protected flag and no inherit ACEs, child group with custom descriptor. 1426 Verify group has custom and default ACEs only. 1427 """ 1428 ou_dn = "OU=test_inherit_ou," + self.base_dn 1429 group_dn = "CN=test_inherit_group," + ou_dn 1430 # Create inheritable-free OU 1431 self.create_clean_ou(ou_dn) 1432 # Create group child object using custom security descriptor 1433 sddl = "O:AUG:AUD:AI(D;;WP;;;DU)" 1434 self.create_domain_group(self.ldb_admin, group_dn, sddl) 1435 # Make sure created group descriptor has NO additional ACEs 1436 desc_sddl = self.get_desc_sddl(group_dn) 1437 print "group descriptor: " + desc_sddl 1438 self.assertEqual(desc_sddl, sddl) 1439 1440 def test_202(self): 1441 """ OU with protected flag and add couple non-inheritable ACEs, child group. 1442 See if the group has any of the added ACEs. 1443 """ 1444 ou_dn = "OU=test_inherit_ou," + self.base_dn 1445 group_dn = "CN=test_inherit_group," + ou_dn 1446 # Create inheritable-free OU 1447 self.create_clean_ou(ou_dn) 1448 # Add some custom non-inheritable ACEs 1449 mod = "(D;;WP;;;DU)(A;;RP;;;DU)" 1450 self.dacl_add_ace(ou_dn, mod) 1451 # Verify all inheritable ACEs are gone 1452 desc_sddl = self.get_desc_sddl(ou_dn) 1453 # Create group child object 1454 self.create_domain_group(self.ldb_admin, group_dn) 1455 # Make sure created group object contains NO inherit ACEs 1456 # also make sure the added above non-inheritable ACEs are absant too 1457 desc_sddl = self.get_desc_sddl(group_dn) 1458 self.assertFalse("ID" in desc_sddl) 1459 for x in re.findall("\(.*?\)", mod): 1460 self.assertFalse(x in desc_sddl) 1461 1462 def test_203(self): 1463 """ OU with protected flag and add 'CI' ACE, child group. 1464 See if the group has the added inherited ACE. 1465 """ 1466 ou_dn = "OU=test_inherit_ou," + self.base_dn 1467 group_dn = "CN=test_inherit_group," + ou_dn 1468 # Create inheritable-free OU 1469 self.create_clean_ou(ou_dn) 1470 # Add some custom 'CI' ACE 1471 mod = "(D;CI;WP;;;DU)" 1472 self.dacl_add_ace(ou_dn, mod) 1473 desc_sddl = self.get_desc_sddl(ou_dn) 1474 # Create group child object 1475 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") 1476 # Make sure created group object contains only the above inherited ACE 1477 # that we've added manually 1478 desc_sddl = self.get_desc_sddl(group_dn) 1479 mod = mod.replace(";CI;", ";CIID;") 1480 self.assertTrue(mod in desc_sddl) 1481 1482 def test_204(self): 1483 """ OU with protected flag and add 'OI' ACE, child group. 1484 See if the group has the added inherited ACE. 1485 """ 1486 ou_dn = "OU=test_inherit_ou," + self.base_dn 1487 group_dn = "CN=test_inherit_group," + ou_dn 1488 # Create inheritable-free OU 1489 self.create_clean_ou(ou_dn) 1490 # Add some custom 'CI' ACE 1491 mod = "(D;OI;WP;;;DU)" 1492 self.dacl_add_ace(ou_dn, mod) 1493 desc_sddl = self.get_desc_sddl(ou_dn) 1494 # Create group child object 1495 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") 1496 # Make sure created group object contains only the above inherited ACE 1497 # that we've added manually 1498 desc_sddl = self.get_desc_sddl(group_dn) 1499 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like 1500 self.assertTrue(mod in desc_sddl) 1501 1502 def test_205(self): 1503 """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group. 1504 See if the group has the added inherited ACE. 1505 """ 1506 ou_dn = "OU=test_inherit_ou," + self.base_dn 1507 group_dn = "CN=test_inherit_group," + ou_dn 1508 # Create inheritable-free OU 1509 self.create_clean_ou(ou_dn) 1510 # Add some custom 'OA' for 'name' attribute & 'CI' ACE 1511 mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" 1512 self.dacl_add_ace(ou_dn, mod) 1513 desc_sddl = self.get_desc_sddl(ou_dn) 1514 # Create group child object 1515 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") 1516 # Make sure created group object contains only the above inherited ACE 1517 # that we've added manually 1518 desc_sddl = self.get_desc_sddl(group_dn) 1519 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like 1520 self.assertTrue(mod in desc_sddl) 1521 1522 def test_206(self): 1523 """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group. 1524 See if the group has the added inherited ACE. 1525 """ 1526 ou_dn = "OU=test_inherit_ou," + self.base_dn 1527 group_dn = "CN=test_inherit_group," + ou_dn 1528 # Create inheritable-free OU 1529 self.create_clean_ou(ou_dn) 1530 # Add some custom 'OA' for 'name' attribute & 'OI' ACE 1531 mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" 1532 self.dacl_add_ace(ou_dn, mod) 1533 desc_sddl = self.get_desc_sddl(ou_dn) 1534 # Create group child object 1535 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") 1536 # Make sure created group object contains only the above inherited ACE 1537 # that we've added manually 1538 desc_sddl = self.get_desc_sddl(group_dn) 1539 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like 1540 self.assertTrue(mod in desc_sddl) 1541 1542 def test_207(self): 1543 """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group. 1544 See if the group has the added inherited ACE. 1545 """ 1546 ou_dn = "OU=test_inherit_ou," + self.base_dn 1547 group_dn = "CN=test_inherit_group," + ou_dn 1548 # Create inheritable-free OU 1549 self.create_clean_ou(ou_dn) 1550 # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE 1551 mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" 1552 self.dacl_add_ace(ou_dn, mod) 1553 desc_sddl = self.get_desc_sddl(ou_dn) 1554 # Create group child object 1555 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") 1556 # Make sure created group object contains only the above inherited ACE 1557 # that we've added manually 1558 desc_sddl = self.get_desc_sddl(group_dn) 1559 mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like 1560 self.assertTrue(mod in desc_sddl) 1561 1562 def test_208(self): 1563 """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group. 1564 See if the group has the added inherited ACE. 1565 """ 1566 ou_dn = "OU=test_inherit_ou," + self.base_dn 1567 group_dn = "CN=test_inherit_group," + ou_dn 1568 # Create inheritable-free OU 1569 self.create_clean_ou(ou_dn) 1570 # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE 1571 mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" 1572 self.dacl_add_ace(ou_dn, mod) 1573 desc_sddl = self.get_desc_sddl(ou_dn) 1574 # Create group child object 1575 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") 1576 # Make sure created group object contains only the above inherited ACE 1577 # that we've added manually 1578 desc_sddl = self.get_desc_sddl(group_dn) 1579 mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like 1580 self.assertTrue(mod in desc_sddl) 1581 1582 def test_209(self): 1583 """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group. 1584 See if the group has the added inherited ACE. 1585 """ 1586 ou_dn = "OU=test_inherit_ou," + self.base_dn 1587 group_dn = "CN=test_inherit_group," + ou_dn 1588 # Create inheritable-free OU 1589 self.create_clean_ou(ou_dn) 1590 # Add some custom 'CI' ACE 1591 mod = "(D;CI;WP;;;CO)" 1592 self.dacl_add_ace(ou_dn, mod) 1593 desc_sddl = self.get_desc_sddl(ou_dn) 1594 # Create group child object 1595 self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") 1596 # Make sure created group object contains only the above inherited ACE(s) 1597 # that we've added manually 1598 desc_sddl = self.get_desc_sddl(group_dn) 1599 self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) 1600 self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) 1601 1602 ######################################################################################## 1603 1604if not "://" in host: 1605 host = "ldap://%s" % host 1606ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"]) 1607 1608runner = SubunitTestRunner() 1609rc = 0 1610if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful(): 1611 rc = 1 1612if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful(): 1613 rc = 1 1614 1615sys.exit(rc) 1616