summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rwxr-xr-xsource4/dsdb/tests/python/acl.py246
1 files changed, 242 insertions, 4 deletions
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 5bf3ff9b1b..0f8fd0cdee 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -16,7 +16,9 @@ import samba.getopt as options
from ldb import (
SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS)
-
+from ldb import ERR_CONSTRAINT_VIOLATION
+from ldb import Message, MessageElement, Dn
+from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE
from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import security
@@ -154,7 +156,7 @@ url: www.example.com
dn: """ + group_dn + """
objectClass: group
sAMAccountName: """ + group_dn.split(",")[0][3:] + """
-groupType: 2147483650
+groupType: 4
url: www.example.com
"""
if desc:
@@ -415,7 +417,7 @@ displayName: test_changed"""
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % str("OU=test_modify_ou1," + self.base_dn))
self.assertEqual(res[0]["displayName"][0], "test_changed")
- def _test_modify_u2(self):
+ def test_modify_u2(self):
"""6 Modify two attributes as you have DS_WRITE_PROPERTY granted only for one of them"""
mod = "(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(self.user_sid)
# First test object -- User
@@ -641,7 +643,7 @@ Member: CN=test_modify_user2,CN=Users,""" + self.base_dn
"""13 User with WP modifying Member"""
#a second user is given write property permission
user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp))
- mod = "(OA;;WP;;;%s)" % str(user_sid)
+ mod = "(A;;WP;;;%s)" % str(user_sid)
self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod)
ldif = """
dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """
@@ -1023,12 +1025,230 @@ class AclRenameTests(AclTests):
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou3_dn)
self.assertNotEqual(res, [])
+#tests on Control Access Rights
+class AclCARTests(AclTests):
+
+ def setUp(self):
+ super(AclCARTests, self).setUp()
+ self.user_with_wp = "acl_car_user1"
+ self.user_with_pc = "acl_car_user2"
+ self.create_enable_user(self.user_with_wp)
+ self.create_enable_user(self.user_with_pc)
+ self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass)
+ self.ldb_user2 = self.get_ldb_connection(self.user_with_pc, self.user_pass)
+
+ def tearDown(self):
+ super(AclCARTests, self).tearDown()
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_wp))
+ self.delete_force(self.ldb_admin, self.get_user_dn(self.user_with_pc))
+
+ def test_change_password1(self):
+ """Try a password change operation without any CARs given"""
+ #users have change password by default - remove for negative testing
+ desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+ sddl = desc.as_sddl(self.domain_sid)
+ sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "")
+ sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "")
+ self.modify_desc(self.get_user_dn(self.user_with_wp), sddl)
+ try:
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+ else:
+ # for some reason we get constraint violation instead of insufficient access error
+ self.fail()
+
+ def test_change_password2(self):
+ """Make sure WP has no influence"""
+ desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+ sddl = desc.as_sddl(self.domain_sid)
+ sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "")
+ sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "")
+ self.modify_desc(self.get_user_dn(self.user_with_wp), sddl)
+ mod = "(A;;WP;;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+ sddl = desc.as_sddl(self.domain_sid)
+ try:
+ self.ldb_user2.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+ else:
+ # for some reason we get constraint violation instead of insufficient access error
+ self.fail()
+
+ def test_change_password3(self):
+ """Make sure WP has no influence"""
+ desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+ sddl = desc.as_sddl(self.domain_sid)
+ self.modify_desc(self.get_user_dn(self.user_with_wp), sddl)
+ mod = "(D;;WP;;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+ sddl = desc.as_sddl(self.domain_sid)
+ self.ldb_user2.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+delete: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"samba123@\"".encode('utf-16-le')) + """
+add: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
+""")
+
+ def test_reset_password1(self):
+ """Try a user password reset operation (unicodePwd) before and after granting CAR"""
+ try:
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
+""")
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+ else:
+ self.fail()
+ mod = "(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
+""")
+
+ def test_reset_password2(self):
+ """Try a user password reset operation (userPassword) before and after granting CAR"""
+ try:
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: userPassword
+userPassword: thatsAcomplPASS1
+""")
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+ else:
+ self.fail()
+ mod = "(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: userPassword
+userPassword: thatsAcomplPASS1
+""")
+
+ def test_reset_password3(self):
+ """Grant WP and see what happens (unicodePwd)"""
+ mod = "(A;;WP;;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ try:
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
+""")
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+ else:
+ self.fail()
+
+ def test_reset_password4(self):
+ """Grant WP and see what happens (userPassword)"""
+ mod = "(A;;WP;;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ try:
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: userPassword
+userPassword: thatsAcomplPASS1
+""")
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+ else:
+ self.fail()
+
+ def test_reset_password5(self):
+ """Explicitly deny WP but grant CAR (unicodePwd)"""
+ mod = "(D;;WP;;;PS)(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: unicodePwd
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS1\"".encode('utf-16-le')) + """
+""")
+
+ def test_reset_password6(self):
+ """Explicitly deny WP but grant CAR (userPassword)"""
+ mod = "(D;;WP;;;PS)(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)"
+ self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+ self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+replace: userPassword
+userPassword: thatsAcomplPASS1
+""")
+
# Important unit running information
if not "://" in host:
host = "ldap://%s" % host
ldb = SamDB(host, credentials=creds, session_info=system_session(), lp=lp)
+# Gets back the configuration basedn
+res = ldb.search(base="", expression="", scope=SCOPE_BASE,
+ attrs=["configurationNamingContext"])
+configuration_dn = res[0]["configurationNamingContext"][0]
+
+# Gets back the cbasedn
+res = ldb.search(base="", expression="", scope=SCOPE_BASE,
+ attrs=["defaultNamingContext"])
+base_dn = res[0]["defaultNamingContext"][0]
+
+# Get the old "dSHeuristics" if it was set
+res = ldb.search("CN=Directory Service, CN=Windows NT, CN=Services, "
+ + configuration_dn, scope=SCOPE_BASE, attrs=["dSHeuristics"])
+if "dSHeuristics" in res[0]:
+ dsheuristics = res[0]["dSHeuristics"][0]
+else:
+ dsheuristics = None
+
+# Set the "dSHeuristics" to have the tests run against Windows Server
+m = Message()
+m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, "
+ + configuration_dn)
+m["dSHeuristics"] = MessageElement("000000001", FLAG_MOD_REPLACE,
+ "dSHeuristics")
+ldb.modify(m)
+
+# Get the current minPwdAge
+res = ldb.search(base_dn, scope=SCOPE_BASE, attrs=["minPwdAge"])
+minPwdAge = res[0]["minPwdAge"][0]
+
+#set minPwdAge to 0 so password tests can against Windows server
+m = Message()
+m.dn = Dn(ldb, base_dn)
+m["minPwdAge"] = MessageElement("0", FLAG_MOD_REPLACE, "minPwdAge")
+ldb.modify(m)
+
runner = SubunitTestRunner()
rc = 0
if not runner.run(unittest.makeSuite(AclAddTests)).wasSuccessful():
@@ -1039,4 +1259,22 @@ if not runner.run(unittest.makeSuite(AclDeleteTests)).wasSuccessful():
rc = 1
if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful():
rc = 1
+
+# Reset the "dSHeuristics" as they were before
+m = Message()
+m.dn = Dn(ldb, "CN=Directory Service, CN=Windows NT, CN=Services, "
+ + configuration_dn)
+if dsheuristics is not None:
+ m["dSHeuristics"] = MessageElement(dsheuristics, FLAG_MOD_REPLACE,
+ "dSHeuristics")
+else:
+ m["dSHeuristics"] = MessageElement([], FLAG_MOD_DELETE, "dsHeuristics")
+ldb.modify(m)
+
+# Reset minPwdAge as before
+m = Message()
+m.dn = Dn(ldb, base_dn)
+m["minPwdAge"] = MessageElement(minPwdAge, FLAG_MOD_REPLACE, "minPwdAge")
+ldb.modify(m)
+
sys.exit(rc)