diff options
Diffstat (limited to 'source4/lib')
-rwxr-xr-x | source4/lib/ldb/tests/python/sec_descriptor.py | 112 |
1 files changed, 107 insertions, 5 deletions
diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py index 2770176f89..8763579dc0 100755 --- a/source4/lib/ldb/tests/python/sec_descriptor.py +++ b/source4/lib/ldb/tests/python/sec_descriptor.py @@ -25,7 +25,8 @@ from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba.auth import system_session -from samba import Ldb, DS_DOMAIN_FUNCTION_2008 +from samba import Ldb, DS_DOMAIN_FUNCTION_2008, SECINFO_OWNER, \ + SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL from subunit import SubunitTestRunner import unittest @@ -83,7 +84,7 @@ class DescriptorTests(unittest.TestCase): def get_users_domain_dn(self, name): return "CN=%s,CN=Users,%s" % (name, self.base_dn) - def modify_desc(self, _ldb, object_dn, desc): + def modify_desc(self, _ldb, object_dn, desc, controls=None): assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) mod = """ dn: """ + object_dn + """ @@ -94,9 +95,9 @@ replace: nTSecurityDescriptor mod += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.modify_ldif(mod) + _ldb.modify_ldif(mod, controls) - def create_domain_ou(self, _ldb, ou_dn, desc=None): + def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None): ldif = """ dn: """ + ou_dn + """ ou: """ + ou_dn.split(",")[0][3:] + """ @@ -109,7 +110,7 @@ url: www.example.com ldif += "nTSecurityDescriptor: %s" % desc elif isinstance(desc, security.descriptor): ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - _ldb.add_ldif(ldif) + _ldb.add_ldif(ldif, controls) def create_domain_user(self, _ldb, user_dn, desc=None): ldif = """ @@ -1683,6 +1684,105 @@ class DaclDescriptorTests(DescriptorTests): ######################################################################################## + +class SdFlagsDescriptorTests(DescriptorTests): + def setUp(self): + DescriptorTests.setUp(self) + self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)" + + def tearDown(self): + self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn) + + def test_301(self): + """ Modify a descriptor with OWNER_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the owner + self.assertTrue("O:AU" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("G:AU" in desc_sddl) + self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) + self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + + def test_302(self): + """ Modify a descriptor with GROUP_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the group + self.assertTrue("G:AU" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("O:AU" in desc_sddl) + self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) + self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + + def test_303(self): + """ Modify a descriptor with SACL_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("O:AU" in desc_sddl) + self.assertFalse("G:AU" in desc_sddl) + self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + + def test_304(self): + """ Modify a descriptor with SACL_SECURITY_INFORMATION set. + See that only the owner has been changed. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + # make sure nothing else has been modified + self.assertFalse("O:AU" in desc_sddl) + self.assertFalse("G:AU" in desc_sddl) + self.assertFalse("(D;;CC;;;LG)" in desc_sddl) + + def test_305(self): + """ Modify a descriptor with 0x0 set. + Contrary to logic this is interpreted as no control, + which is the same as 0xF + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + # make sure nothing else has been modified + self.assertTrue("O:AU" in desc_sddl) + self.assertTrue("G:AU" in desc_sddl) + self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + + def test_306(self): + """ Modify a descriptor with 0xF set. + """ + ou_dn = "OU=test_sdflags_ou," + self.base_dn + self.create_domain_ou(self.ldb_admin, ou_dn) + self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"]) + desc_sddl = self.get_desc_sddl(ou_dn) + # make sure we have modified the DACL + self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + # make sure nothing else has been modified + self.assertTrue("O:AU" in desc_sddl) + self.assertTrue("G:AU" in desc_sddl) + self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + if not "://" in host: host = "ldap://%s" % host ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"]) @@ -1693,5 +1793,7 @@ if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful() rc = 1 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful(): rc = 1 +if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful(): + rc = 1 sys.exit(rc) |