From 81240b13b365400e2da903a7fc0af1f501bc1249 Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nivanova@samba.org>
Date: Mon, 5 Jul 2010 00:17:38 +0300
Subject: s4-dsdb: Implementation of User-Change-Password and
 User-Force-Password-Change

    These CARs need to be checked on password change and password reset operations.
    Apparently the password attributes are not influenced by Write Property.
    Single detele operations and modifications of dBCSPwd are let through to the
    password_hash module. This is determined experimentally.
---
 source4/dsdb/tests/python/acl.py | 70 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 64 insertions(+), 6 deletions(-)

(limited to 'source4/dsdb/tests/python')

diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index 0f8fd0cdee..31bcd31ae2 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -15,7 +15,8 @@ samba.ensure_external_module("testtools", "testtools")
 import samba.getopt as options
 
 from ldb import (
-    SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+    SCOPE_BASE, LdbError, ERR_NO_SUCH_OBJECT,
+    ERR_UNWILLING_TO_PERFORM, ERR_INSUFFICIENT_ACCESS_RIGHTS)
 from ldb import ERR_CONSTRAINT_VIOLATION
 from ldb import Message, MessageElement, Dn
 from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE
@@ -1077,7 +1078,7 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le'))
         desc = self.read_desc(self.get_user_dn(self.user_with_wp))
         sddl = desc.as_sddl(self.domain_sid)
         try:
-            self.ldb_user2.modify_ldif("""
+            self.ldb_user.modify_ldif("""
 dn: """ + self.get_user_dn(self.user_with_wp) + """
 changetype: modify
 delete: unicodePwd
@@ -1093,14 +1094,11 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le'))
 
     def test_change_password3(self):
         """Make sure WP has no influence"""
-        desc = self.read_desc(self.get_user_dn(self.user_with_wp))
-        sddl = desc.as_sddl(self.domain_sid)
-        self.modify_desc(self.get_user_dn(self.user_with_wp), sddl)
         mod = "(D;;WP;;;PS)"
         self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
         desc = self.read_desc(self.get_user_dn(self.user_with_wp))
         sddl = desc.as_sddl(self.domain_sid)
-        self.ldb_user2.modify_ldif("""
+        self.ldb_user.modify_ldif("""
 dn: """ + self.get_user_dn(self.user_with_wp) + """
 changetype: modify
 delete: unicodePwd
@@ -1109,6 +1107,64 @@ add: unicodePwd
 unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) + """
 """)
 
+    def test_change_password5(self):
+        """Make sure rights have no influence on dBCSPwd"""
+        desc = self.read_desc(self.get_user_dn(self.user_with_wp))
+        sddl = desc.as_sddl(self.domain_sid)
+        sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "")
+        sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "")
+        self.modify_desc(self.get_user_dn(self.user_with_wp), sddl)
+        mod = "(D;;WP;;;PS)"
+        self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+        try:
+            self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+delete: dBCSPwd
+dBCSPwd: XXXXXXXXXXXXXXXX
+add: dBCSPwd
+dBCSPwd: YYYYYYYYYYYYYYYY
+""")
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+        else:
+            self.fail()
+
+    def test_change_password6(self):
+        """Test uneven delete/adds"""
+        try:
+            self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1
+delete: userPassword
+userPassword: thatsAcomplPASS1
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
+        else:
+            self.fail()
+        mod = "(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;PS)"
+        self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod)
+        try:
+            self.ldb_user.modify_ldif("""
+dn: """ + self.get_user_dn(self.user_with_wp) + """
+changetype: modify
+delete: userPassword
+userPassword: thatsAcomplPASS1
+delete: userPassword
+userPassword: thatsAcomplPASS1
+add: userPassword
+userPassword: thatsAcomplPASS2
+""")
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+        else:
+            self.fail()
+
     def test_reset_password1(self):
         """Try a user password reset operation (unicodePwd) before and after granting CAR"""
         try:
@@ -1259,6 +1315,8 @@ if not runner.run(unittest.makeSuite(AclDeleteTests)).wasSuccessful():
     rc = 1
 if not runner.run(unittest.makeSuite(AclRenameTests)).wasSuccessful():
     rc = 1
+if not runner.run(unittest.makeSuite(AclCARTests)).wasSuccessful():
+    rc = 1
 
 # Reset the "dSHeuristics" as they were before
 m = Message()
-- 
cgit