summaryrefslogtreecommitdiff
path: root/source4/dsdb/tests/python/sec_descriptor.py
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2023-03-22 14:48:00 +0100
committerAndrew Bartlett <abartlet@samba.org>2023-03-22 22:10:32 +0000
commita0217c50e920557046628bb171f2addea2ad7416 (patch)
tree1d339d852e7c4aded4b79d6bfd2ce988f7df651d /source4/dsdb/tests/python/sec_descriptor.py
parent731c85add116b8ab192d9a2d3bc56296635a226d (diff)
downloadsamba-a0217c50e920557046628bb171f2addea2ad7416.tar.gz
s4:dsdb/tests: add more detailed tests to sec_descriptor.py
These demonstrate how inherited aces are constructed and applies per objectclass, with and without the NO_PROPAGATE_INHERIT flag. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/tests/python/sec_descriptor.py')
-rwxr-xr-xsource4/dsdb/tests/python/sec_descriptor.py501
1 files changed, 501 insertions, 0 deletions
diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py
index 1579d669036..8e0aa3a7ae3 100755
--- a/source4/dsdb/tests/python/sec_descriptor.py
+++ b/source4/dsdb/tests/python/sec_descriptor.py
@@ -1716,6 +1716,507 @@ class DaclDescriptorTests(DescriptorTests):
self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl)
self.assertIn("(A;;WP;;;AU)", desc_sddl)
+ def test_ci_and_io_on_attribute(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CIOI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";CIOI;", ";OICIID;") # change it how it's gonna look like
+ self.assertIn(mod, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertIn(mod, desc_sddl)
+
+ def test_ci_and_np_on_attribute(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";CINP;", ";ID;") # change it how it's gonna look like
+ self.assertIn(mod, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertIn(mod, desc_sddl)
+
+ def test_oi_and_np_on_attribute(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;OINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ mod = mod.replace(";OINP;", ";ID;") # change it how it's gonna look like
+ self.assertNotIn(mod, desc_sddl)
+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(mod, desc_sddl)
+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
+
+ def test_ci_ga_no_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
+ modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(modob, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertIn(modob, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_ga_no_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
+ modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_ga_name_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
+ modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(modob, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertIn(modob, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_ga_name_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ modno = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
+ modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_lc_no_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modno = "(A;ID;LC;;;DA)"
+ modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_lc_no_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
+ modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_lc_name_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
+ modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modob, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modob, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_lc_name_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
+ modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertIn(modid, desc_sddl)
+
+ def test_ci_np_ga_no_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ # Add some custom 'OA' for 'name' attribute & 'CI'+'OI' ACE
+ mod = "(OA;CINP;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
+ modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(modob, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+
+ def test_ci_np_ga_no_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)"
+ modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+
+ def test_ci_np_ga_name_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
+ modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(modob, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertIn(modob, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+
+ def test_ci_np_ga_name_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+
+ def test_ci_np_lc_no_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modno = "(A;ID;LC;;;DA)"
+ modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+
+ def test_ci_np_lc_no_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ modno = "(A;ID;LC;;;DA)"
+ modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+
+ def test_ci_np_lc_name_attr_objectclass_same(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
+ modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(modob, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertIn(modob, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl)
+
+ def test_ci_np_lc_name_attr_objectclass_different(self):
+ ou_dn = "OU=test_inherit_ou," + self.base_dn
+ group_dn = "CN=test_inherit_group," + ou_dn
+ # Create inheritable-free OU
+ self.create_clean_ou(ou_dn)
+ mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)"
+ modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)"
+ moded = "(D;;CC;;;LG)"
+ self.sd_utils.dacl_add_ace(ou_dn, mod)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn)
+ # Create group child object
+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid)
+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc)
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+ try:
+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded)
+ except LdbError as e:
+ self.fail(str(e))
+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn)
+ self.assertIn(moded, desc_sddl)
+ self.assertNotIn(modno, desc_sddl)
+ self.assertNotIn(modid, desc_sddl)
+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl)
+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl)
+
########################################################################################
View Lorry Controller Status