The branch, master has been updated via b285d03 s4-tests: Modified sec_descriptor.py to use the sd_utils helpers. via c9264bb s4-tests: Modified acl.py to use the sd_utils helpers. via c5480e6 s4-tests: Moved some commonly redefined security descriptor methods to a utils class from 378295c build: detect if conf.env['CPP'] is an array or not
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b285d0304a58fbacb9fcaa8359271bcd717c16f7 Author: Nadezhda Ivanova <nivan...@samba.org> Date: Fri Dec 10 10:31:58 2010 +0200 s4-tests: Modified sec_descriptor.py to use the sd_utils helpers. Autobuild-User: Nadezhda Ivanova <nivan...@samba.org> Autobuild-Date: Fri Dec 10 11:03:28 CET 2010 on sn-devel-104 commit c9264bb04e58c7549e4f21bddae731e9b9dffa38 Author: Nadezhda Ivanova <nivan...@samba.org> Date: Fri Dec 10 10:31:19 2010 +0200 s4-tests: Modified acl.py to use the sd_utils helpers. commit c5480e659e270852a3e099eb3fafbae19bbb8988 Author: Nadezhda Ivanova <nivan...@samba.org> Date: Fri Dec 10 10:29:14 2010 +0200 s4-tests: Moved some commonly redefined security descriptor methods to a utils class These methods are used in more than one testsuite now so they are now in a utility class instead of being defined everywhere. ----------------------------------------------------------------------- Summary of changes: source4/dsdb/tests/python/acl.py | 213 ++++++--------- source4/dsdb/tests/python/sec_descriptor.py | 379 ++++++++++++--------------- source4/scripting/python/samba/sd_utils.py | 79 ++++++ 3 files changed, 336 insertions(+), 335 deletions(-) create mode 100644 source4/scripting/python/samba/sd_utils.py Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index c540e7e..d336fa9 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -25,7 +25,7 @@ from samba.ndr import ndr_pack, ndr_unpack from samba.dcerpc import security from samba.auth import system_session -from samba import gensec +from samba import gensec, sd_utils from samba.samdb import SamDB from samba.credentials import Credentials import samba.tests @@ -66,32 +66,12 @@ class AclTests(samba.tests.TestCase): self.domain_sid = security.dom_sid(ldb.get_domain_sid()) self.user_pass = "samba123@" self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized() + self.sd_utils = sd_utils.SDUtils(ldb) print "baseDN: %s" % self.base_dn def get_user_dn(self, name): return "CN=%s,CN=Users,%s" % (name, self.base_dn) - def modify_desc(self, object_dn, desc): - """ Modify security descriptor using either SDDL string - or security.descriptor object - """ - assert(isinstance(desc, str) or isinstance(desc, security.descriptor)) - mod = """ -dn: """ + object_dn + """ -changetype: modify -replace: nTSecurityDescriptor -""" - if isinstance(desc, str): - mod += "nTSecurityDescriptor: %s" % desc - elif isinstance(desc, security.descriptor): - mod += "nTSecurityDescriptor:: %s" % base64.b64encode(ndr_pack(desc)) - self.ldb_admin.modify_ldif(mod) - - def read_desc(self, object_dn): - res = self.ldb_admin.search(object_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - return ndr_unpack(security.descriptor, desc) - def get_ldb_connection(self, target_username, target_password): creds_tmp = Credentials() creds_tmp.set_username(target_username) @@ -104,27 +84,6 @@ replace: nTSecurityDescriptor ldb_target = SamDB(url=host, credentials=creds_tmp, lp=lp) return ldb_target - def get_object_sid(self, object_dn): - res = self.ldb_admin.search(object_dn) - return ndr_unpack(security.dom_sid, res[0]["objectSid"][0]) - - def dacl_add_ace(self, object_dn, ace): - desc = self.read_desc(object_dn) - desc_sddl = desc.as_sddl(self.domain_sid) - if ace in desc_sddl: - return - if desc_sddl.find("(") >= 0: - desc_sddl = desc_sddl[:desc_sddl.index("(")] + ace + desc_sddl[desc_sddl.index("("):] - else: - desc_sddl = desc_sddl + ace - self.modify_desc(object_dn, desc_sddl) - - def get_desc_sddl(self, object_dn): - """ Return object nTSecutiryDescriptor in SDDL format - """ - desc = self.read_desc(object_dn) - return desc.as_sddl(self.domain_sid) - # Test if we have any additional groups for users than default ones def assert_user_no_group_member(self, username): res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username)) @@ -189,9 +148,9 @@ class AclAddTests(AclTests): # Change descriptor for top level OU self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn) self.ldb_owner.create_ou("OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) - user_sid = self.get_object_sid(self.get_user_dn(self.usr_admin_not_owner)) + user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.usr_admin_not_owner)) mod = "(D;CI;WPCC;;;%s)" % str(user_sid) - self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) # Test user and group creation with another domain admin's credentials self.ldb_notowner.newuser(self.test_user1, self.user_pass, userou=self.ou2) self.ldb_notowner.newgroup("test_add_group1", groupou="OU=test_add_ou2,OU=test_add_ou1", @@ -230,9 +189,9 @@ class AclAddTests(AclTests): self.assert_top_ou_deleted() # Change descriptor for top level OU self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn) - user_sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=test_add_ou1," + self.base_dn, mod) self.ldb_owner.create_ou("OU=test_add_ou2,OU=test_add_ou1," + self.base_dn) # Test user and group creation with granted user only to one of the objects self.ldb_user.newuser(self.test_user1, self.user_pass, userou=self.ou2, setpassword=False) @@ -284,7 +243,7 @@ class AclModifyTests(AclTests): self.ldb_user = self.get_ldb_connection(self.user_with_wp, self.user_pass) self.ldb_user2 = self.get_ldb_connection(self.user_with_sm, self.user_pass) self.ldb_user3 = self.get_ldb_connection(self.user_with_group_sm, self.user_pass) - self.user_sid = self.get_object_sid( self.get_user_dn(self.user_with_wp)) + self.user_sid = self.sd_utils.get_object_sid( self.get_user_dn(self.user_with_wp)) self.ldb_admin.newgroup("test_modify_group2", grouptype=4) self.ldb_admin.newgroup("test_modify_group3", grouptype=4) self.ldb_admin.newuser("test_modify_user2", self.user_pass) @@ -307,7 +266,7 @@ class AclModifyTests(AclTests): # First test object -- User print "Testing modify on User object" self.ldb_admin.newuser("test_modify_user1", self.user_pass) - self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) + self.sd_utils.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) ldif = """ dn: """ + self.get_user_dn("test_modify_user1") + """ changetype: modify @@ -320,7 +279,7 @@ displayName: test_changed""" # Second test object -- Group print "Testing modify on Group object" self.ldb_admin.newgroup("test_modify_group1", grouptype=4) - self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) ldif = """ dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ changetype: modify @@ -333,7 +292,7 @@ displayName: test_changed""" print "Testing modify on OU object" #delete_force(self.ldb_admin, "OU=test_modify_ou1," + self.base_dn) self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn) - self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) ldif = """ dn: OU=test_modify_ou1,""" + self.base_dn + """ changetype: modify @@ -350,7 +309,7 @@ displayName: test_changed""" print "Testing modify on User object" #delete_force(self.ldb_admin, self.get_user_dn("test_modify_user1")) self.ldb_admin.newuser("test_modify_user1", self.user_pass) - self.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) + self.sd_utils.dacl_add_ace(self.get_user_dn("test_modify_user1"), mod) # Modify on attribute you have rights for ldif = """ dn: """ + self.get_user_dn("test_modify_user1") + """ @@ -378,7 +337,7 @@ url: www.samba.org""" # Second test object -- Group print "Testing modify on Group object" self.ldb_admin.newgroup("test_modify_group1", grouptype=4) - self.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("CN=test_modify_group1,CN=Users," + self.base_dn, mod) ldif = """ dn: CN=test_modify_group1,CN=Users,""" + self.base_dn + """ changetype: modify @@ -405,7 +364,7 @@ url: www.samba.org""" # Second test object -- Organizational Unit print "Testing modify on OU object" self.ldb_admin.create_ou("OU=test_modify_ou1," + self.base_dn) - self.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=test_modify_ou1," + self.base_dn, mod) ldif = """ dn: OU=test_modify_ou1,""" + self.base_dn + """ changetype: modify @@ -501,7 +460,7 @@ adminDescription: blah blah blah""" self.fail() mod = "(OA;;WP;bf967919-0de6-11d0-a285-00aa003049e2;;PS)" - self.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) + self.sd_utils.dacl_add_ace(self.get_user_dn(self.user_with_wp), mod) # Modify on attribute you have rights for self.ldb_user.modify_ldif(ldif) res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" \ @@ -525,9 +484,9 @@ Member: """ + self.get_user_dn(self.user_with_sm) self.fail() #grant self-membership, should be able to add himself - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) + user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.user_with_sm)) mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) self.ldb_user2.modify_ldif(ldif) res = self.ldb_admin.search( self.base_dn, expression="(distinguishedName=%s)" \ % ("CN=test_modify_group2,CN=Users," + self.base_dn), attrs=["Member"]) @@ -555,9 +514,9 @@ Member: """ + self.get_user_dn(self.user_with_sm) + """ Member: CN=test_modify_user2,CN=Users,""" + self.base_dn #grant self-membership, should be able to add himself but not others at the same time - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_sm)) + user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.user_with_sm)) mod = "(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) try: self.ldb_user2.modify_ldif(ldif) except LdbError, (num, _): @@ -568,9 +527,9 @@ Member: CN=test_modify_user2,CN=Users,""" + self.base_dn def test_modify_u7(self): """13 User with WP modifying Member""" #a second user is given write property permission - user_sid = self.get_object_sid(self.get_user_dn(self.user_with_wp)) + user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.user_with_wp)) mod = "(A;;WP;;;%s)" % str(user_sid) - self.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("CN=test_modify_group2,CN=Users," + self.base_dn, mod) ldif = """ dn: CN=test_modify_group2,CN=Users,""" + self.base_dn + """ changetype: modify @@ -625,8 +584,8 @@ class AclSearchTests(AclTests): Dn(self.ldb_admin, "OU=ou4,OU=ou2,OU=ou1," + self.base_dn), Dn(self.ldb_admin, "OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn), Dn(self.ldb_admin, "OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn)] - self.user_sid = self.get_object_sid(self.get_user_dn(self.u1)) - self.group_sid = self.get_object_sid(self.get_user_dn(self.group1)) + self.user_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.u1)) + self.group_sid = self.sd_utils.get_object_sid(self.get_user_dn(self.group1)) def create_clean_ou(self, object_dn): """ Base repeating setup for unittests to follow """ @@ -635,7 +594,7 @@ class AclSearchTests(AclTests): # Make sure top testing OU has been deleted before starting the test self.assertEqual(res, []) self.ldb_admin.create_ou(object_dn) - desc_sddl = self.get_desc_sddl(object_dn) + desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn) # Make sure there are inheritable ACEs initially self.assertTrue("CI" in desc_sddl or "OI" in desc_sddl) # Find and remove all inherit ACEs @@ -647,9 +606,9 @@ class AclSearchTests(AclTests): # can propagate from above # remove SACL, we are not interested desc_sddl = desc_sddl.replace(":AI", ":AIP") - self.modify_desc(object_dn, desc_sddl) + self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl) # Verify all inheritable ACEs are gone - desc_sddl = self.get_desc_sddl(object_dn) + desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn) self.assertFalse("CI" in desc_sddl) self.assertFalse("OI" in desc_sddl) @@ -712,7 +671,7 @@ class AclSearchTests(AclTests): self.ldb_admin.set_dsheuristics("0000002") self.ldb_admin.create_ou("OU=test_search_ou1," + self.base_dn) mod = "(A;CI;LC;;;AN)" - self.dacl_add_ace("OU=test_search_ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=test_search_ou1," + self.base_dn, mod) self.ldb_admin.create_ou("OU=test_search_ou2,OU=test_search_ou1," + self.base_dn) anonymous = SamDB(url=host, credentials=self.creds_tmp, lp=lp) res = anonymous.search("OU=test_search_ou2,OU=test_search_ou1," + self.base_dn, @@ -731,7 +690,7 @@ class AclSearchTests(AclTests): """Make sure users can see us if given LC to user and group""" self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;;LC;;;%s)(A;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) - self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, self.domain_sid) self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) @@ -772,7 +731,7 @@ class AclSearchTests(AclTests): self.ldb_admin.create_ou("OU=ou5,OU=ou3,OU=ou2,OU=ou1," + self.base_dn) self.ldb_admin.create_ou("OU=ou6,OU=ou4,OU=ou2,OU=ou1," + self.base_dn) mod = "(D;;LC;;;%s)(D;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) - self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) res = self.ldb_user3.search("OU=ou1," + self.base_dn, expression="(objectClass=*)", scope=SCOPE_SUBTREE) #this user should see all ous @@ -799,7 +758,7 @@ class AclSearchTests(AclTests): """Make sure users can't see ous if access is explicitly denied - 2""" self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;LC;;;%s)(A;CI;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) - self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, self.domain_sid) self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) @@ -818,7 +777,7 @@ class AclSearchTests(AclTests): self.fail() mod = "(D;;LC;;;%s)(D;;LC;;;%s)" % (str(self.user_sid), str(self.group_sid)) - self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) ok_list = [Dn(self.ldb_admin, "OU=ou2,OU=ou1," + self.base_dn), Dn(self.ldb_admin, "OU=ou1," + self.base_dn)] @@ -850,7 +809,7 @@ class AclSearchTests(AclTests): """There is no difference in visibility if the user is also creator""" self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;CC;;;%s)" % (str(self.user_sid)) - self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, self.domain_sid) self.ldb_user.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) @@ -877,7 +836,7 @@ class AclSearchTests(AclTests): """Make sure users can see only attributes they are allowed to see""" self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;LC;;;%s)" % (str(self.user_sid)) - self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, self.domain_sid) self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) @@ -898,8 +857,8 @@ class AclSearchTests(AclTests): #give read property on ou and assert user can only see dn and ou mod = "(OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % (str(self.user_sid)) - self.dacl_add_ace("OU=ou1," + self.base_dn, mod) - self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", scope=SCOPE_SUBTREE) ok_list = ['dn', 'ou'] @@ -909,8 +868,8 @@ class AclSearchTests(AclTests): #give read property on Public Information and assert user can see ou and other members mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;%s)" % (str(self.user_sid)) - self.dacl_add_ace("OU=ou1," + self.base_dn, mod) - self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) res = self.ldb_user.search("OU=ou2,OU=ou1," + self.base_dn, expression="(objectClass=*)", scope=SCOPE_SUBTREE) @@ -922,7 +881,7 @@ class AclSearchTests(AclTests): """If an attribute that cannot be read is used in a filter, it is as if the attribute does not exist""" self.create_clean_ou("OU=ou1," + self.base_dn) mod = "(A;CI;LCCC;;;%s)" % (str(self.user_sid)) - self.dacl_add_ace("OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou1," + self.base_dn, mod) tmp_desc = security.descriptor.from_sddl("D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" + mod, self.domain_sid) self.ldb_admin.create_ou("OU=ou2,OU=ou1," + self.base_dn, sd=tmp_desc) @@ -935,7 +894,7 @@ class AclSearchTests(AclTests): #give read property on ou and assert user can only see dn and ou mod = "(OA;;RP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % (str(self.user_sid)) - self.dacl_add_ace("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou3,OU=ou2,OU=ou1," + self.base_dn, mod) res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou3)", scope=SCOPE_SUBTREE) self.assertEquals(len(res), 1) @@ -945,7 +904,7 @@ class AclSearchTests(AclTests): #give read property on Public Information and assert user can see ou and other members mod = "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;%s)" % (str(self.user_sid)) - self.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) + self.sd_utils.dacl_add_ace("OU=ou2,OU=ou1," + self.base_dn, mod) res = self.ldb_user.search("OU=ou1," + self.base_dn, expression="(ou=ou2)", scope=SCOPE_SUBTREE) self.assertEquals(len(res), 1) @@ -986,7 +945,7 @@ class AclDeleteTests(AclTests): # Create user that we try to delete self.ldb_admin.newuser("test_delete_user1", self.user_pass) mod = "(A;;SD;;;AU)" - self.dacl_add_ace(user_dn, mod) + self.sd_utils.dacl_add_ace(user_dn, mod) # Try to delete User object self.ldb_user.delete(user_dn) res = self.ldb_admin.search(self.base_dn, @@ -998,8 +957,8 @@ class AclDeleteTests(AclTests): user_dn = self.get_user_dn("test_delete_user1") # Create user that we try to delete self.ldb_admin.newuser("test_delete_user1", self.user_pass) - mod = "(A;;SD;;;%s)" % self.get_object_sid(self.get_user_dn(self.regular_user)) - self.dacl_add_ace(user_dn, mod) + mod = "(A;;SD;;;%s)" % self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) + self.sd_utils.dacl_add_ace(user_dn, mod) # Try to delete User object self.ldb_user.delete(user_dn) res = self.ldb_admin.search(self.base_dn, @@ -1066,7 +1025,7 @@ class AclRenameTests(AclTests): self.ldb_admin.create_ou(ou_dn) self.ldb_admin.newuser(self.testuser1, self.user_pass, userou=self.ou1) mod = "(A;;WP;;;AU)" - self.dacl_add_ace(user_dn, mod) + self.sd_utils.dacl_add_ace(user_dn, mod) # Rename 'User object' having WP to AU self.ldb_user.rename(user_dn, rename_user_dn) res = self.ldb_admin.search(self.base_dn, @@ -1084,9 +1043,9 @@ class AclRenameTests(AclTests): # Create OU structure self.ldb_admin.create_ou(ou_dn) self.ldb_admin.newuser(self.testuser1, self.user_pass, userou=self.ou1) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) mod = "(A;;WP;;;%s)" % str(sid) - self.dacl_add_ace(user_dn, mod) + self.sd_utils.dacl_add_ace(user_dn, mod) # Rename 'User object' having WP to AU self.ldb_user.rename(user_dn, rename_user_dn) res = self.ldb_admin.search(self.base_dn, @@ -1107,9 +1066,9 @@ class AclRenameTests(AclTests): self.ldb_admin.create_ou(ou2_dn) self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1) mod = "(A;;WPSD;;;AU)" - self.dacl_add_ace(user_dn, mod) + self.sd_utils.dacl_add_ace(user_dn, mod) mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou2_dn, mod) + self.sd_utils.dacl_add_ace(ou2_dn, mod) # Rename 'User object' having SD and CC to AU self.ldb_user.rename(user_dn, rename_user_dn) res = self.ldb_admin.search(self.base_dn, @@ -1129,11 +1088,11 @@ class AclRenameTests(AclTests): self.ldb_admin.create_ou(ou1_dn) self.ldb_admin.create_ou(ou2_dn) self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) mod = "(A;;WPSD;;;%s)" % str(sid) - self.dacl_add_ace(user_dn, mod) + self.sd_utils.dacl_add_ace(user_dn, mod) mod = "(A;;CC;;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) + self.sd_utils.dacl_add_ace(ou2_dn, mod) # Rename 'User object' having SD and CC to AU self.ldb_user.rename(user_dn, rename_user_dn) res = self.ldb_admin.search(self.base_dn, @@ -1154,12 +1113,12 @@ class AclRenameTests(AclTests): self.ldb_admin.create_ou(ou2_dn) #mod = "(A;CI;DCWP;;;AU)" mod = "(A;;DC;;;AU)" - self.dacl_add_ace(ou1_dn, mod) + self.sd_utils.dacl_add_ace(ou1_dn, mod) mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou2_dn, mod) + self.sd_utils.dacl_add_ace(ou2_dn, mod) self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1) mod = "(A;;WP;;;AU)" - self.dacl_add_ace(user_dn, mod) + self.sd_utils.dacl_add_ace(user_dn, mod) # Rename 'User object' having SD and CC to AU self.ldb_user.rename(user_dn, rename_user_dn) res = self.ldb_admin.search(self.base_dn, @@ -1181,9 +1140,9 @@ class AclRenameTests(AclTests): self.ldb_admin.create_ou(ou2_dn) self.ldb_admin.create_ou(ou3_dn) mod = "(A;CI;WPDC;;;AU)" - self.dacl_add_ace(ou1_dn, mod) + self.sd_utils.dacl_add_ace(ou1_dn, mod) mod = "(A;;CC;;;AU)" - self.dacl_add_ace(ou3_dn, mod) + self.sd_utils.dacl_add_ace(ou3_dn, mod) self.ldb_admin.newuser(self.testuser2, self.user_pass, userou=self.ou1) # Rename 'User object' having SD and CC to AU self.ldb_user.rename(user_dn, rename_user_dn) @@ -1202,11 +1161,11 @@ class AclRenameTests(AclTests): # Create OU structure self.ldb_admin.create_ou(ou1_dn) self.ldb_admin.create_ou(ou2_dn) - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) mod = "(OA;;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) + self.sd_utils.dacl_add_ace(ou2_dn, mod) mod = "(OD;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) + self.sd_utils.dacl_add_ace(ou2_dn, mod) try: self.ldb_user.rename(ou2_dn, ou3_dn) except LdbError, (num, _): @@ -1214,9 +1173,9 @@ class AclRenameTests(AclTests): else: # This rename operation should always throw ERR_INSUFFICIENT_ACCESS_RIGHTS self.fail() - sid = self.get_object_sid(self.get_user_dn(self.regular_user)) + sid = self.sd_utils.get_object_sid(self.get_user_dn(self.regular_user)) mod = "(A;;WP;bf9679f0-0de6-11d0-a285-00aa003049e2;;%s)" % str(sid) - self.dacl_add_ace(ou2_dn, mod) + self.sd_utils.dacl_add_ace(ou2_dn, mod) self.ldb_user.rename(ou2_dn, ou3_dn) res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % ou2_dn) self.assertEqual(res, []) @@ -1243,11 +1202,11 @@ class AclCARTests(AclTests): def test_change_password1(self): """Try a password change operation without any CARs given""" #users have change password by default - remove for negative testing - desc = self.read_desc(self.get_user_dn(self.user_with_wp)) + desc = self.sd_utils.read_sd_on_dn(self.get_user_dn(self.user_with_wp)) sddl = desc.as_sddl(self.domain_sid) sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "") sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "") - self.modify_desc(self.get_user_dn(self.user_with_wp), sddl) + self.sd_utils.modify_sd_on_dn(self.get_user_dn(self.user_with_wp), sddl) try: self.ldb_user.modify_ldif(""" dn: """ + self.get_user_dn(self.user_with_wp) + """ @@ -1265,14 +1224,14 @@ unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS2\"".encode('utf-16-le')) def test_change_password2(self): """Make sure WP has no influence""" - desc = self.read_desc(self.get_user_dn(self.user_with_wp)) + desc = self.sd_utils.read_sd_on_dn(self.get_user_dn(self.user_with_wp)) sddl = desc.as_sddl(self.domain_sid) sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)", "") sddl = sddl.replace("(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)", "") - self.modify_desc(self.get_user_dn(self.user_with_wp), sddl) + self.sd_utils.modify_sd_on_dn(self.get_user_dn(self.user_with_wp), sddl) mod = "(A;;WP;;;PS)" -- Samba Shared Repository