From 7c8b34657a19c96bbeb2181cd194f323a6827365 Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
Date: Fri, 20 Nov 2009 13:25:13 +0200
Subject: Implementation of LDAP_SERVER_SD_FLAGS_OID on modify requests.

---
 source4/lib/ldb/tests/python/sec_descriptor.py | 112 +++++++++++++++++++++++--
 1 file changed, 107 insertions(+), 5 deletions(-)

(limited to 'source4/lib')

diff --git a/source4/lib/ldb/tests/python/sec_descriptor.py b/source4/lib/ldb/tests/python/sec_descriptor.py
index 2770176f89..8763579dc0 100755
--- a/source4/lib/ldb/tests/python/sec_descriptor.py
+++ b/source4/lib/ldb/tests/python/sec_descriptor.py
@@ -25,7 +25,8 @@ from samba.ndr import ndr_pack, ndr_unpack
 from samba.dcerpc import security
 
 from samba.auth import system_session
-from samba import Ldb, DS_DOMAIN_FUNCTION_2008
+from samba import Ldb, DS_DOMAIN_FUNCTION_2008, SECINFO_OWNER, \
+    SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL
 from subunit import SubunitTestRunner
 import unittest
 
@@ -83,7 +84,7 @@ class DescriptorTests(unittest.TestCase):
     def get_users_domain_dn(self, name):
         return "CN=%s,CN=Users,%s" % (name, self.base_dn)
 
-    def modify_desc(self, _ldb, object_dn, desc):
+    def modify_desc(self, _ldb, object_dn, desc, controls=None):
         assert(isinstance(desc, str) or isinstance(desc, security.descriptor))
         mod = """
 dn: """ + object_dn + """
@@ -94,9 +95,9 @@ replace: nTSecurityDescriptor
             mod += "nTSecurityDescriptor: %s" % desc
         elif isinstance(desc, security.descriptor):
             mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
-        _ldb.modify_ldif(mod)
+        _ldb.modify_ldif(mod, controls)
 
-    def create_domain_ou(self, _ldb, ou_dn, desc=None):
+    def create_domain_ou(self, _ldb, ou_dn, desc=None, controls=None):
         ldif = """
 dn: """ + ou_dn + """
 ou: """ + ou_dn.split(",")[0][3:] + """
@@ -109,7 +110,7 @@ url: www.example.com
                 ldif += "nTSecurityDescriptor: %s" % desc
             elif isinstance(desc, security.descriptor):
                 ldif += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc))
-        _ldb.add_ldif(ldif)
+        _ldb.add_ldif(ldif, controls)
 
     def create_domain_user(self, _ldb, user_dn, desc=None):
         ldif = """
@@ -1683,6 +1684,105 @@ class DaclDescriptorTests(DescriptorTests):
 
     ########################################################################################
 
+
+class SdFlagsDescriptorTests(DescriptorTests):
+    def setUp(self):
+        DescriptorTests.setUp(self)
+        self.test_descr = "O:AUG:AUD:(D;;CC;;;LG)S:(OU;;WP;;;AU)"
+
+    def tearDown(self):
+        self.delete_force(self.ldb_admin, "OU=test_sdflags_ou," + self.base_dn)
+
+    def test_301(self):
+        """ Modify a descriptor with OWNER_SECURITY_INFORMATION set.
+            See that only the owner has been changed.
+        """
+        ou_dn = "OU=test_sdflags_ou," + self.base_dn
+        self.create_domain_ou(self.ldb_admin, ou_dn)
+        self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)])
+        desc_sddl = self.get_desc_sddl(ou_dn)
+        # make sure we have modified the owner
+        self.assertTrue("O:AU" in desc_sddl)
+        # make sure nothing else has been modified
+        self.assertFalse("G:AU" in desc_sddl)
+        self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
+        self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
+
+    def test_302(self):
+        """ Modify a descriptor with GROUP_SECURITY_INFORMATION set.
+            See that only the owner has been changed.
+        """
+        ou_dn = "OU=test_sdflags_ou," + self.base_dn
+        self.create_domain_ou(self.ldb_admin, ou_dn)
+        self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)])
+        desc_sddl = self.get_desc_sddl(ou_dn)
+        # make sure we have modified the group
+        self.assertTrue("G:AU" in desc_sddl)
+        # make sure nothing else has been modified
+        self.assertFalse("O:AU" in desc_sddl)
+        self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl)
+        self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
+
+    def test_303(self):
+        """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
+            See that only the owner has been changed.
+        """
+        ou_dn = "OU=test_sdflags_ou," + self.base_dn
+        self.create_domain_ou(self.ldb_admin, ou_dn)
+        self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)])
+        desc_sddl = self.get_desc_sddl(ou_dn)
+        # make sure we have modified the DACL
+        self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
+        # make sure nothing else has been modified
+        self.assertFalse("O:AU" in desc_sddl)
+        self.assertFalse("G:AU" in desc_sddl)
+        self.assertFalse("(OU;;WP;;;AU)" in desc_sddl)
+
+    def test_304(self):
+        """ Modify a descriptor with SACL_SECURITY_INFORMATION set.
+            See that only the owner has been changed.
+        """
+        ou_dn = "OU=test_sdflags_ou," + self.base_dn
+        self.create_domain_ou(self.ldb_admin, ou_dn)
+        self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)])
+        desc_sddl = self.get_desc_sddl(ou_dn)
+        # make sure we have modified the DACL
+        self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
+        # make sure nothing else has been modified
+        self.assertFalse("O:AU" in desc_sddl)
+        self.assertFalse("G:AU" in desc_sddl)
+        self.assertFalse("(D;;CC;;;LG)" in desc_sddl)
+
+    def test_305(self):
+        """ Modify a descriptor with 0x0 set.
+            Contrary to logic this is interpreted as no control,
+            which is the same as 0xF
+        """
+        ou_dn = "OU=test_sdflags_ou," + self.base_dn
+        self.create_domain_ou(self.ldb_admin, ou_dn)
+        self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:0"])
+        desc_sddl = self.get_desc_sddl(ou_dn)
+        # make sure we have modified the DACL
+        self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
+        # make sure nothing else has been modified
+        self.assertTrue("O:AU" in desc_sddl)
+        self.assertTrue("G:AU" in desc_sddl)
+        self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
+
+    def test_306(self):
+        """ Modify a descriptor with 0xF set.
+        """
+        ou_dn = "OU=test_sdflags_ou," + self.base_dn
+        self.create_domain_ou(self.ldb_admin, ou_dn)
+        self.modify_desc(self.ldb_admin, ou_dn, self.test_descr, controls=["sd_flags:1:15"])
+        desc_sddl = self.get_desc_sddl(ou_dn)
+        # make sure we have modified the DACL
+        self.assertTrue("(OU;;WP;;;AU)" in desc_sddl)
+        # make sure nothing else has been modified
+        self.assertTrue("O:AU" in desc_sddl)
+        self.assertTrue("G:AU" in desc_sddl)
+        self.assertTrue("(D;;CC;;;LG)" in desc_sddl)
+
 if not "://" in host:
     host = "ldap://%s" % host
 ldb = Ldb(host, credentials=creds, session_info=system_session(), lp=lp, options=["modules:paged_searches"])
@@ -1693,5 +1793,7 @@ if not runner.run(unittest.makeSuite(OwnerGroupDescriptorTests)).wasSuccessful()
     rc = 1
 if not runner.run(unittest.makeSuite(DaclDescriptorTests)).wasSuccessful():
     rc = 1
+if not runner.run(unittest.makeSuite(SdFlagsDescriptorTests)).wasSuccessful():
+    rc = 1
 
 sys.exit(rc)
-- 
cgit