diff options
author | Zahari Zahariev <zahari.zahariev@postpath.com> | 2009-09-15 17:34:42 -0700 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2009-09-16 07:51:45 -0700 |
commit | fec33db90ebd998f17ed2d539d67abb448e09af2 (patch) | |
tree | e85d736ffa5409d3b3806da950bed83f6e01273a /source4/lib/ldb | |
parent | 932690c093692b1e9fca4dfa75c7cd55ea4e63b1 (diff) | |
download | samba-fec33db90ebd998f17ed2d539d67abb448e09af2.tar.gz samba-fec33db90ebd998f17ed2d539d67abb448e09af2.tar.bz2 samba-fec33db90ebd998f17ed2d539d67abb448e09af2.zip |
Tests for descriptor inheritance
Signed-off-by: Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/lib/ldb')
-rw-r--r-- | source4/lib/ldb/tests/python/sec_descriptor.py | 1610 |
1 files changed, 1610 insertions, 0 deletions
diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py new file mode 100644 index 0000000000..58a345450b --- /dev/null +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -0,0 +1,1610 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +import getopt +import optparse +import sys +import os +import base64 +import re +import random + +sys.path.append("bin/python") +sys.path.append("../lib/subunit/python") + +import samba.getopt as options + +# Some error messages that are being tested +from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError +from ldb import ERR_NO_SUCH_OBJECT, ERR_INVALID_DN_SYNTAX, ERR_UNWILLING_TO_PERFORM +from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS + +# For running the test unit +from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc import security + +from samba.auth import system_session +from samba import Ldb, DS_BEHAVIOR_WIN2008 +from subunit import SubunitTestRunner +import unittest + +parser = optparse.OptionParser("ldap [options] <host>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +# +# Tests start here +# + +class DescriptorTests(unittest.TestCase): + + def delete_force(self, ldb, dn): + try: + ldb.delete(dn) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + + def find_basedn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, + attrs=["defaultNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["defaultNamingContext"][0] + + def find_configurationdn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["configurationNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["configurationNamingContext"][0] + + def find_schemadn(self, ldb): + res = ldb.search(base="", expression="", scope=SCOPE_BASE, attrs=["schemaNamingContext"]) + self.assertEquals(len(res), 1) + return res[0]["schemaNamingContext"][0] + + def find_domain_sid(self, ldb): + res = ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) + return ndr_unpack( security.dom_sid,res[0]["objectSid"][0]) + + def get_users_domain_dn(self, name): + return "CN=%s,CN=Users,%s" % (name, self.base_dn) + + def modify_desc(self, object_dn, desc): + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + mod = """ +dn: """ + object_dn + """ +changetype: modify +replace: nTSecurityDescriptor +""" + if isinstance(desc, str): + mod += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + self.ldb_admin.modify_ldif(mod) + + def create_domain_ou(self, _ldb, ou_dn, desc=None): + ldif = """ +dn: """ + ou_dn + """ +ou: """ + ou_dn.split(",")[0][3:] + """ +objectClass: organizationalUnit +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_domain_user(self, _ldb, user_dn, desc=None): + ldif = """ +dn: """ + user_dn + """ +sAMAccountName: """ + user_dn.split(",")[0][3:] + """ +objectClass: user +userPassword: samba123@ +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_domain_group(self, _ldb, group_dn, desc=None): + ldif = """ +dn: """ + group_dn + """ +objectClass: group +sAMAccountName: """ + group_dn.split(",")[0][3:] + """ +groupType: 4 +url: www.example.com +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def get_unique_schema_class_name(self): + while True: + class_name = "test-class%s" % random.randint(1,100000) + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + try: + self.ldb_admin.search(base=class_dn, attrs=["*"]) + except LdbError, (num, _): + self.assertEquals(num, ERR_NO_SUCH_OBJECT) + return class_name + + def create_schema_class(self, _ldb, object_dn, desc=None): + ldif = """ +dn: """ + object_dn + """ +objectClass: classSchema +objectCategory: CN=Class-Schema,""" + self.schema_dn + """ +defaultObjectCategory: """ + object_dn + """ +distinguishedName: """ + object_dn + """ +governsID: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939 +instanceType: 4 +objectClassCategory: 1 +subClassOf: organizationalPerson +systemFlags: 16 +rDNAttID: cn +systemMustContain: cn +systemOnly: FALSE +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_configuration_container(self, _ldb, object_dn, desc=None): + ldif = """ +dn: """ + object_dn + """ +objectClass: container +objectCategory: CN=Container,""" + self.schema_dn + """ +showInAdvancedViewOnly: TRUE +instanceType: 4 +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def create_configuration_specifier(self, _ldb, object_dn, desc=None): + ldif = """ +dn: """ + object_dn + """ +objectClass: displaySpecifier +showInAdvancedViewOnly: TRUE +""" + if desc: + assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) + if isinstance(desc, str): + ldif += "nTSecurityDescriptor: %s" % desc + elif isinstance(desc, security.descriptor): + ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) + _ldb.add_ldif(ldif) + + def read_desc(self, object_dn): + res = self.ldb_admin.search(base=object_dn, attrs=["nTSecurityDescriptor"]) + desc = res[0]["nTSecurityDescriptor"][0] + return ndr_unpack( security.descriptor, desc ) + + def enable_account(self, user_dn): + """Enable an account. + :param user_dn: Dn of the account to enable. + """ + res = self.ldb_admin.search(user_dn, SCOPE_BASE, None, ["userAccountControl"]) + assert len(res) == 1 + userAccountControl = res[0]["userAccountControl"][0] + userAccountControl = int(userAccountControl) + if (userAccountControl & 0x2): + userAccountControl = userAccountControl & ~0x2 # remove disabled bit + if (userAccountControl & 0x20): + userAccountControl = userAccountControl & ~0x20 # remove 'no password required' bit + mod = """ +dn: """ + user_dn + """ +changetype: modify +replace: userAccountControl +userAccountControl: %s""" % userAccountControl + if self.WIN2003: + mod = re.sub("userAccountControl: \d.*", "userAccountControl: 544", mod) + self.ldb_admin.modify_ldif(mod) + + def get_ldb_connection(self, target_username, target_password): + username_save = creds.get_username(); password_save = creds.get_password() + creds.set_username(target_username) + creds.set_password(target_password) + ldb_target = Ldb(host, credentials=creds, session_info=system_session(), lp=lp) + creds.set_username(username_save); creds.set_password(password_save) + return ldb_target + + def get_object_sid(self, object_dn): + res = self.ldb_admin.search(object_dn) + return ndr_unpack( security.dom_sid, res[0]["objectSid"][0] ) + + def dacl_add_ace(self, object_dn, ace): + desc = self.read_desc( object_dn ) + desc_sddl = desc.as_sddl( self.domain_sid ) + if ace in desc_sddl: + return + desc_sddl = desc_sddl[0:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] + self.modify_desc(object_dn, desc_sddl) + + def get_desc_sddl(self, object_dn): + """ Return object nTSecutiryDescriptor in SDDL format + """ + desc = self.read_desc(object_dn) + return desc.as_sddl(self.domain_sid) + + def setUp(self): + self.ldb_admin = ldb + self.base_dn = self.find_basedn(self.ldb_admin) + self.configuration_dn = self.find_configurationdn(self.ldb_admin) + self.schema_dn = self.find_schemadn(self.ldb_admin) + self.domain_sid = self.find_domain_sid(self.ldb_admin) + print "baseDN: %s" % self.base_dn + self.SAMBA = False; self.WIN2003 = False + res = self.ldb_admin.search(base="", expression="", scope=SCOPE_BASE, attrs=["vendorName"]) + if "vendorName" in res[0].keys() and "Samba Team" in res[0]["vendorName"][0]: + self.SAMBA = True + else: + self.WIN2003 = True + #print "self.SAMBA:", self.SAMBA + #print "self.WIN2003:", self.WIN2003 + + ################################################################################################ + + ## Tests for DOMAIN + + # Default descriptor tests ##################################################################### + +class OwnerGroupDescriptorTests(DescriptorTests): + + def setUp(self): + DescriptorTests.setUp(self) + if self.SAMBA: + ### Create users + # User 1 + user_dn = self.get_users_domain_dn("testuser1") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + ldif = """ +dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + self.ldb_admin.modify_ldif(ldif) + # User 2 + user_dn = self.get_users_domain_dn("testuser2") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + ldif = """ +dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + self.ldb_admin.modify_ldif(ldif) + # User 3 + user_dn = self.get_users_domain_dn("testuser3") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + ldif = """ +dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + self.ldb_admin.modify_ldif(ldif) + # User 4 + user_dn = self.get_users_domain_dn("testuser4") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + # User 5 + user_dn = self.get_users_domain_dn("testuser5") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + ldif = """ +dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + """ + +dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + self.ldb_admin.modify_ldif(ldif) + # User 6 + user_dn = self.get_users_domain_dn("testuser6") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + ldif = """ +dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + """ + +dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + """ + +dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + self.ldb_admin.modify_ldif(ldif) + # User 7 + user_dn = self.get_users_domain_dn("testuser7") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + ldif = """ +dn: CN=Domain Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + """ + +dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + self.ldb_admin.modify_ldif(ldif) + # User 8 + user_dn = self.get_users_domain_dn("testuser8") + self.create_domain_user(self.ldb_admin, user_dn) + self.enable_account(user_dn) + ldif = """ +dn: CN=Enterprise Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + """ + +dn: CN=Schema Admins,CN=Users,""" + self.base_dn + """ +changetype: add +member: """ + user_dn + self.ldb_admin.modify_ldif(ldif) + self.results = { + # msDS-Behavior-Version < DS_BEHAVIOR_WIN2008 + "ds_behavior_win2003" : { + "100" : "O:EAG:DU", + "101" : "O:DAG:DU", + "102" : "O:%sG:DU", + "103" : "O:%sG:DU", + "104" : "O:DAG:DU", + "105" : "O:DAG:DU", + "106" : "O:DAG:DU", + "107" : "O:EAG:DU", + "108" : "O:DAG:DA", + "109" : "O:DAG:DA", + "110" : "O:%sG:DA", + "111" : "O:%sG:DA", + "112" : "O:DAG:DA", + "113" : "O:DAG:DA", + "114" : "O:DAG:DA", + "115" : "O:DAG:DA", + "130" : "O:EAG:DU", + "131" : "O:DAG:DU", + "132" : "O:SAG:DU", + "133" : "O:%sG:DU", + "134" : "O:EAG:DU", + "135" : "O:SAG:DU", + "136" : "O:SAG:DU", + "137" : "O:SAG:DU", + "138" : "O:DAG:DA", + "139" : "O:DAG:DA", + "140" : "O:%sG:DA", + "141" : "O:%sG:DA", + "142" : "O:DAG:DA", + "143" : "O:DAG:DA", + "144" : "O:DAG:DA", + "145" : "O:DAG:DA", + "160" : "O:EAG:DU", + "161" : "O:DAG:DU", + "162" : "O:%sG:DU", + "163" : "O:%sG:DU", + "164" : "O:EAG:DU", + "165" : "O:EAG:DU", + "166" : "O:DAG:DU", + "167" : "O:EAG:DU", + "168" : "O:DAG:DA", + "169" : "O:DAG:DA", + "170" : "O:%sG:DA", + "171" : "O:%sG:DA", + "172" : "O:DAG:DA", + "173" : "O:DAG:DA", + "174" : "O:DAG:DA", + "175" : "O:DAG:DA", + }, + # msDS-Behavior-Version >= 3 + "ds_behavior_win2008" : { + "100" : "O:EAG:EA", + "101" : "O:DAG:DA", + "102" : "O:%sG:DU", + "103" : "O:%sG:DU", + "104" : "O:DAG:DA", + "105" : "O:DAG:DA", + "106" : "O:DAG:DA", + "107" : "O:EAG:EA", + "108" : "O:DAG:DA", + "109" : "O:DAG:DA", + "110" : "O:%sG:DA", + "111" : "O:%sG:DA", + "112" : "O:DAG:DA", + "113" : "O:DAG:DA", + "114" : "O:DAG:DA", + "115" : "O:DAG:DA", + "130" : "", + "131" : "", + "132" : "", + "133" : "%s", + "134" : "", + "135" : "", + "136" : "", + "137" : "", + "138" : "", + "139" : "", + "140" : "%s", + "141" : "%s", + "142" : "", + "143" : "", + "144" : "", + "145" : "", + "160" : "O:EAG:EA", + "161" : "O:DAG:DA", + "162" : "O:%sG:DU", + "163" : "O:%sG:DU", + "164" : "O:EAG:EA", + "165" : "O:EAG:EA", + "166" : "O:DAG:DA", + "167" : "O:EAG:EA", + "168" : "O:DAG:DA", + "169" : "O:DAG:DA", + "170" : "O:%sG:DA", + "171" : "O:%sG:DA", + "172" : "O:DAG:DA", + "173" : "O:DAG:DA", + "174" : "O:DAG:DA", + "175" : "O:DAG:DA", + }, + } + # Discover 'msDS-Behavior-Version' + res = self.ldb_admin.search(base=self.base_dn, expression="distinguishedName=%s" % self.base_dn, \ + attrs=['msDS-Behavior-Version']) + res = int(res[0]['msDS-Behavior-Version'][0]) + if res < DS_BEHAVIOR_WIN2008: + self.DS_BEHAVIOR = "ds_behavior_win2003" + else: + self.DS_BEHAVIOR = "ds_behavior_win2008" + + def tearDown(self): + if self.SAMBA: + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser1")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser2")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser3")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser4")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser5")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser6")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser7")) + self.delete_force(self.ldb_admin, self.get_users_domain_dn("testuser8")) + # DOMAIN + self.delete_force(self.ldb_admin, self.get_users_domain_dn("test_domain_group1")) + self.delete_force(self.ldb_admin, "CN=test_domain_user1,OU=test_domain_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) + # SCHEMA + # CONFIGURATION + self.delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," \ + + self.configuration_dn) + self.delete_force(self.ldb_admin, "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) + + def check_user_belongs(self, user_dn, groups=[]): + """ Test wether user is member of the expected group(s) """ + if groups != []: + # User is member of at least one additional group + res = self.ldb_admin.search(user_dn, attrs=["memberOf"]) + res = [x.upper() for x in sorted(list(res[0]["memberOf"]))] + expected = [] + for x in groups: + expected.append(self.get_users_domain_dn(x)) + expected = [x.upper() for x in sorted(expected)] + self.assertEqual(expected, res) + else: + # User is not a member of any additional groups but default + res = self.ldb_admin.search(user_dn, attrs=["*"]) + res = [x.upper() for x in res[0].keys()] + self.assertFalse( "MEMBEROF" in res) + + def test_100(self): + """ Enterprise admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection("testuser1", "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + self.create_domain_group(_ldb, group_dn) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["100"], res) + + def test_101(self): + """ Dmain admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + self.create_domain_group(_ldb, group_dn) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["101"], res) + + def test_102(self): + """ Schema admin group member with CC right creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["102"] % str(user_sid), res) + + def test_103(self): + """ Regular user with CC right creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["103"] % str(user_sid), res) + + def test_104(self): + """ Enterprise & Domain admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + self.create_domain_group(_ldb, group_dn) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["104"], res) + + def test_105(self): + """ Enterprise & Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + self.create_domain_group(_ldb, group_dn) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["105"], res) + + def test_106(self): + """ Domain & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + self.create_domain_group(_ldb, group_dn) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["106"], res) + + def test_107(self): + """ Enterprise & Schema admin group member creates object (default nTSecurityDescriptor) in DOMAIN + """ + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + self.create_domain_group(_ldb, group_dn) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["107"], res) + + # Control descriptor tests ##################################################################### + + def test_108(self): + """ Enterprise admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, group_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["108"], res) + + def test_109(self): + """ Domain admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, group_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["109"], res) + + def test_110(self): + """ Schema admin group member with CC right creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only <User Sid> !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn, desc_sddl) + desc = self.read_desc(object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["110"] % str(user_sid), res) + + def test_111(self): + """ Regular user with CC right creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;%s)" % str(user_sid) + self.dacl_add_ace(object_dn, mod) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only <User Sid> !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create additional object into the first one + object_dn = "CN=test_domain_user1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_user(_ldb, object_dn, desc_sddl) + desc = self.read_desc(object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["111"] % str(user_sid), res) + + def test_112(self): + """ Domain & Enterprise admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, group_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["112"], res) + + def test_113(self): + """ Domain & Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, group_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["113"], res) + + def test_114(self): + """ Domain & Schema admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, group_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["114"], res) + + def test_115(self): + """ Enterprise & Schema admin group member creates object (custom descriptor) in DOMAIN + """ + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + group_dn = "CN=test_domain_group1,CN=Users," + self.base_dn + self.delete_force(self.ldb_admin, group_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_domain_group(_ldb, group_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(group_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["115"], res) + + + def test_999(self): + user_name = "Administrator" + object_dn = "OU=test_domain_ou1," + self.base_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(D;CI;WP;;;S-1-3-0)" + #mod = "" + self.dacl_add_ace(object_dn, mod) + desc_sddl = self.get_desc_sddl(object_dn) + #print desc_sddl + # Create additional object into the first one + object_dn = "OU=test_domain_ou2," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_domain_ou(self.ldb_admin, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + #print desc_sddl + + ## Tests for SCHEMA + + # Defalt descriptor tests ################################################################## + + def test_130(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["130"], res) + + def test_131(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["131"], res) + + def test_132(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["132"], res) + + def test_133(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + #Change Schema partition descriptor + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["133"] % str(user_sid), res) + + def test_134(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + #Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["134"], res) + + def test_135(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["135"], res) + + def test_136(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["136"], res) + + def test_137(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["137"], res) + + # Custom descriptor tests ################################################################## + + def test_138(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_139(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_140(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only <User Sid> !!! + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["140"] % str(user_sid), res) + + def test_141(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only <User Sid> !!! + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["141"] % str(user_sid), res) + + def test_142(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_143(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_144(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_145(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(self.schema_dn, mod) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + # Create example Schema class + class_name = self.get_unique_schema_class_name() + class_dn = "CN=%s,%s" % (class_name, self.schema_dn) + self.create_schema_class(_ldb, class_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(class_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + ## Tests for CONFIGURATION + + # Defalt descriptor tests ################################################################## + + def test_160(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["160"], res) + + def test_161(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["161"], res) + + def test_162(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_specifier(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["162"] % str(user_sid), res) + + def test_163(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_specifier(_ldb, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["163"] % str(user_sid), res) + + def test_164(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["164"], res) + + def test_165(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["165"], res) + + def test_166(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["166"], res) + + def test_167(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(_ldb, object_dn, ) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["167"], res) + + # Custom descriptor tests ################################################################## + + def test_168(self): + user_name = "testuser1" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_169(self): + user_name = "testuser2" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_170(self): + user_name = "testuser3" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only <User Sid> !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + self.create_configuration_specifier(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["170"] % str(user_sid), res) + + def test_171(self): + user_name = "testuser4" + self.check_user_belongs(self.get_users_domain_dn(user_name), []) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + object_dn = "CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn + self.delete_force(self.ldb_admin, object_dn) + self.create_configuration_container(self.ldb_admin, object_dn, ) + user_sid = self.get_object_sid( self.get_users_domain_dn(user_name) ) + mod = "(A;;CC;;;AU)" + self.dacl_add_ace(object_dn, mod) + # Create child object with user's credentials + object_dn = "CN=test-specifier1," + object_dn + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + # NB! Problematic owner part won't accept DA only <User Sid> !!! + desc_sddl = "O:%sG:DAD:(A;;RP;;;DU)" % str(user_sid) + self.create_configuration_specifier(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual(self.results[self.DS_BEHAVIOR]["171"] % str(user_sid), res) + + def test_172(self): + user_name = "testuser5" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_173(self): + user_name = "testuser6" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_174(self): + user_name = "testuser7" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Domain Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + def test_175(self): + user_name = "testuser8" + self.check_user_belongs(self.get_users_domain_dn(user_name), ["Enterprise Admins", "Schema Admins"]) + # Open Ldb connection with the tested user + _ldb = self.get_ldb_connection(user_name, "samba123@") + # Create example Configuration container + container_name = "test-container1" + object_dn = "CN=%s,CN=DisplaySpecifiers,%s" % (container_name, self.configuration_dn) + self.delete_force(self.ldb_admin, object_dn) + # Create a custom security descriptor + desc_sddl = "O:DAG:DAD:(A;;RP;;;DU)" + self.create_configuration_container(_ldb, object_dn, desc_sddl) + desc_sddl = self.get_desc_sddl(object_dn) + res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) + self.assertEqual("O:DAG:DA", res) + + ######################################################################################## + # Inharitance tests for DACL + +class DaclDescriptorTests(DescriptorTests): + + def setUp(self): + DescriptorTests.setUp(self) + + def tearDown(self): + self.delete_force(self.ldb_admin, "CN=test_inherit_group,OU=test_inherit_ou," + self.base_dn) + self.delete_force(self.ldb_admin, "OU=test_inherit_ou," + self.base_dn) + + def create_clean_ou(self, object_dn): + """ Base repeating setup for unittests to follow """ + res = self.ldb_admin.search(base=self.base_dn, scope=SCOPE_SUBTREE, \ + expression="distinguishedName=%s" % object_dn) + # Make sure top testing OU has been deleted before starting the test + self.assertEqual(res, []) + self.create_domain_ou(self.ldb_admin, object_dn) + desc_sddl = self.get_desc_sddl(object_dn) + # Make sutre there are inheritable ACEs initially + self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl) + # Find and remove all inherit ACEs + res = re.findall("\(.*?\)", desc_sddl) + res = [x for x in res if ("CI" in x) or ("OI" in x)] + for x in res: + desc_sddl = desc_sddl.replace(x, "") + # Add flag 'protected' in both DACL and SACL so no inherit ACEs + # can propagate from above + desc_sddl = desc_sddl.replace(":AI", ":AIP") + self.modify_desc(object_dn, desc_sddl) + # Verify all inheritable ACEs are gone + desc_sddl = self.get_desc_sddl(object_dn) + self.assertFalse("CI" in desc_sddl) + self.assertFalse("OI" in desc_sddl) + + def test_200(self): + """ OU with protected flag and child group. See if the group has inherit ACEs. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn) + # Make sure created group object contains NO inherit ACEs + desc_sddl = self.get_desc_sddl(group_dn) + self.assertFalse("ID" in desc_sddl) + + def test_201(self): + """ OU with protected flag and no inherit ACEs, child group with custom descriptor. + Verify group has custom and default ACEs only. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Create group child object using custom security descriptor + sddl = "O:AUG:AUD:AI(D;;WP;;;DU)" + self.create_domain_group(self.ldb_admin, group_dn, sddl) + # Make sure created group descriptor has NO additional ACEs + desc_sddl = self.get_desc_sddl(group_dn) + self.assertEqual(desc_sddl, sddl) + + def test_202(self): + """ OU with protected flag and add couple non-inheritable ACEs, child group. + See if the group has any of the added ACEs. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom non-inheritable ACEs + mod = "(D;;WP;;;DU)(A;;RP;;;DU)" + self.dacl_add_ace(ou_dn, mod) + # Verify all inheritable ACEs are gone + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn) + # Make sure created group object contains NO inherit ACEs + # also make sure the added above non-inheritable ACEs are absant too + desc_sddl = self.get_desc_sddl(group_dn) + self.assertFalse("ID" in desc_sddl) + for x in re.findall("\(.*?\)", mod): + self.assertFalse(x in desc_sddl) + + def test_203(self): + """ OU with protected flag and add 'CI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "(D;CI;WP;;;DU)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";CI;", ";CIID;") + self.assertTrue(mod in desc_sddl) + + def test_204(self): + """ OU with protected flag and add 'OI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "(D;OI;WP;;;DU)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + + def test_205(self): + """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'name' attribute & 'CI' ACE + mod = "(OA;CI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + + def test_206(self): + """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'name' attribute & 'OI' ACE + mod = "(OA;OI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + + def test_207(self): + """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'st' attribute (OU specific) & 'CI' ACE + mod = "(OA;CI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + + def test_208(self): + """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'st' attribute (OU specific) & 'OI' ACE + mod = "(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like + self.assertTrue(mod in desc_sddl) + + def test_209(self): + """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group. + See if the group has the added inherited ACE. + """ + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'CI' ACE + mod = "(D;CI;WP;;;CO)" + self.dacl_add_ace(ou_dn, mod) + desc_sddl = self.get_desc_sddl(ou_dn) + # Create group child object + self.create_domain_group(self.ldb_admin, group_dn, "O:AUG:AUD:AI(A;;CC;;;AU)") + # Make sure created group object contains only the above inherited ACE(s) + # that we've added manually + desc_sddl = self.get_desc_sddl(group_dn) + #print desc_sddl + self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) + self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) + + ######################################################################################## + +if not "://" in host: + host = "ldap://%s" % host +ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"]) + +runner = SubunitTestRunner() +rc = 0 +if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful(): + rc = 1 +if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful(): + rc = 1 + +sys.exit(rc) |