summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb')
-rwxr-xr-xsource4/dsdb/tests/python/token_group.py100
1 files changed, 100 insertions, 0 deletions
diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py
new file mode 100755
index 0000000000..ee90dd480c
--- /dev/null
+++ b/source4/dsdb/tests/python/token_group.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# test tokengroups attribute against internal token calculation
+
+import optparse
+import sys
+import os
+
+sys.path.append("bin/python")
+import samba
+samba.ensure_external_module("testtools", "testtools")
+samba.ensure_external_module("subunit", "subunit/python")
+
+import samba.getopt as options
+
+from samba.auth import system_session
+from samba import ldb
+from samba.samdb import SamDB
+from samba.ndr import ndr_pack, ndr_unpack
+
+from subunit.run import SubunitTestRunner
+import unittest
+
+from samba.dcerpc import security
+from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
+
+
+parser = optparse.OptionParser("ldap.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+url = args[0]
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+class TokenTest(unittest.TestCase):
+
+ def setUp(self):
+ super(TokenTest, self).setUp()
+ self.ldb = samdb
+ self.base_dn = samdb.domain_dn()
+
+ def test_TokenGroups(self):
+ """Testing rootDSE tokengroups against internal calculation"""
+ if not url.startswith("ldap"):
+ self.fail(msg="This test is only valid on ldap")
+
+ res = self.ldb.search("", scope=ldb.SCOPE_BASE, attrs=["tokenGroups"])
+ self.assertEquals(len(res), 1)
+
+ print("Geting tokenGroups from rootDSE")
+ tokengroups = []
+ for sid in res[0]['tokenGroups']:
+ tokengroups.append(str(ndr_unpack(samba.dcerpc.security.dom_sid, sid)))
+
+ print("Geting token from user session")
+ session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
+ AUTH_SESSION_INFO_AUTHENTICATED |
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
+ session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn="<SID=%s>" % tokengroups[0],
+ session_info_flags=session_info_flags)
+
+ token = session.security_token
+ sids = []
+ for s in token.sids:
+ sids.append(str(s))
+ sidset1 = set(tokengroups)
+ sidset2 = set(sids)
+ if sidset1 != sidset2:
+ print("token sids don't match")
+ print("tokengroups: %s" % tokengroups)
+ print("calculated : %s" % sids);
+ print("difference : %s" % sidset1.difference(sidset2))
+ self.fail(msg="token groups don't match")
+
+
+
+if not "://" in url:
+ if os.path.isfile(url):
+ url = "tdb://%s" % url
+ else:
+ url = "ldap://%s" % url
+
+samdb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
+
+runner = SubunitTestRunner()
+rc = 0
+if not runner.run(unittest.makeSuite(TokenTest)).wasSuccessful():
+ rc = 1
+sys.exit(rc)