[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-104-g08ce8a4
Jelmer Vernooij
jelmer at samba.org
Tue Sep 8 16:01:07 MDT 2009
The branch, master has been updated
via 08ce8a4752e2be1990901cff586b3270bd78fc2b (commit)
via af0946c101ed6507a2df584a9772bedfec32c8b2 (commit)
from 5f2ec4b202492c7b06a59606dbc5d5eb366be533 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 08ce8a4752e2be1990901cff586b3270bd78fc2b
Author: Jelmer Vernooij <jelmer at samba.org>
Date: Tue Sep 8 23:30:21 2009 +0200
Mark test_security_descriptor_add_neg as known failing (for now).
commit af0946c101ed6507a2df584a9772bedfec32c8b2
Author: Zahari Zahariev <zahari.zahariev at postpath.com>
Date: Tue Sep 8 16:00:24 2009 +0300
Basic tests for nTSceurityDescriptor both SDDL and BASE64 format
These are updated second eddition unittests using ldb.add_ldif()
and ldb.modify_ldif(). Unittests are found to work when using
the right local domain SID. Negative test separated.
Signed-off-by: Jelmer Vernooij <jelmer at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/lib/ldb/tests/python/ldap.py | 196 +++++++++++++++++++++++++++++++++-
source4/selftest/knownfail | 1 +
2 files changed, 195 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py
index 8cd4a22..5b2d380 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -7,6 +7,7 @@ import optparse
import sys
import time
import random
+import base64
sys.path.append("bin/python")
sys.path.append("../lib/subunit/python")
@@ -23,6 +24,9 @@ from samba import Ldb, param, dom_sid_to_rid
from subunit import SubunitTestRunner
import unittest
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+
parser = optparse.OptionParser("ldap [options] <host>")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
@@ -64,12 +68,17 @@ class BasicTests(unittest.TestCase):
self.assertEquals(len(res), 1)
return res[0]["schemaNamingContext"][0]
+ def find_domain_sid(self):
+ res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE)
+ return ndr_unpack( security.dom_sid,res[0]["objectSid"][0])
+
def setUp(self):
self.ldb = ldb
self.gc_ldb = gc_ldb
self.base_dn = self.find_basedn(ldb)
self.configuration_dn = self.find_configurationdn(ldb)
self.schema_dn = self.find_schemadn(ldb)
+ self.domain_sid = self.find_domain_sid()
print "baseDN: %s\n" % self.base_dn
@@ -97,7 +106,7 @@ class BasicTests(unittest.TestCase):
def test_parentGUID(self):
"""Test parentGUID behaviour"""
print "Testing parentGUID behaviour\n"
-
+
self.ldb.add({
"dn": "cn=parentguidtest,cn=users," + self.base_dn,
"objectclass":"user",
@@ -128,7 +137,7 @@ class BasicTests(unittest.TestCase):
def test_groupType(self):
"""Test groupType behaviour (should appear to be casted to a 32 bit signed integer before comparsion)"""
print "Testing groupType behaviour\n"
-
+
res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
attrs=["groupType"], expression="groupType=2147483653");
@@ -1203,6 +1212,189 @@ member: CN=ldaptestutf8user èùéìòà ,CN=Users,""" + self.base_dn + """
res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
self.assertTrue(len(res) > 0)
+ def test_security_descriptor_add(self):
+ """ Testing ldb.add_ldif() for nTSecurityDescriptor """
+ user_name = "testdescriptoruser1"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ #
+ # Test add_ldif() with SDDL security descriptor input
+ #
+ self.delete_force(self.ldb, user_dn)
+ try:
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor: """ + sddl)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack( security.descriptor, desc )
+ desc_sddl = desc.as_sddl( self.domain_sid )
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test add_ldif() with BASE64 security descriptor
+ #
+ try:
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ desc_binary = ndr_pack(desc)
+ desc_base64 = base64.b64encode(desc_binary)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor:: """ + desc_base64)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+
+ def test_security_descriptor_add_neg(self):
+ """Test add_ldif() with BASE64 security descriptor input using WRONG domain SID
+ Negative test
+ """
+ user_name = "testdescriptoruser1"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ self.delete_force(self.ldb, user_dn)
+ try:
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl(sddl, security.dom_sid('S-1-5-21'))
+ desc_base64 = base64.b64encode( ndr_pack(desc) )
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor:: """ + desc_base64)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ print res
+ self.assertRaises(KeyError, lambda: res[0]["nTSecurityDescriptor"])
+ finally:
+ self.delete_force(self.ldb, user_dn)
+
+ def test_security_descriptor_modify(self):
+ """ Testing ldb.modify_ldif() for nTSecurityDescriptor """
+ user_name = "testdescriptoruser2"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ #
+ # Delete user object and test modify_ldif() with SDDL security descriptor input
+ # Add ACE to the original descriptor test
+ #
+ try:
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor: """ + sddl
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test modify_ldif() with SDDL security descriptor input
+ # New desctiptor test
+ #
+ try:
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor: """ + sddl
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test modify_ldif() with BASE64 security descriptor input
+ # Add ACE to the original descriptor test
+ #
+ try:
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
+ desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ desc_base64 = base64.b64encode(ndr_pack(desc))
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor:: """ + desc_base64
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
+ #
+ # Test modify_ldif() with BASE64 security descriptor input
+ # New descriptor test
+ #
+ try:
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl(sddl, self.domain_sid)
+ desc_base64 = base64.b64encode(ndr_pack(desc))
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor:: """ + desc_base64
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(self.domain_sid)
+ self.assertEqual(desc_sddl, sddl)
+ finally:
+ self.delete_force(self.ldb, user_dn)
class BaseDnTests(unittest.TestCase):
def setUp(self):
diff --git a/source4/selftest/knownfail b/source4/selftest/knownfail
index 68d406a..0d0f59f 100644
--- a/source4/selftest/knownfail
+++ b/source4/selftest/knownfail
@@ -55,3 +55,4 @@ samba4.winbind.struct.*.LOOKUP_NAME_SID # Not yet working in winbind
^samba4.*base.delaywrite.*delayed update of write time 3c$
^samba4.*base.delaywrite.*update of write time using SET_END_OF_FILE$
^samba4.*base.delaywrite.*update of write time using SET_ALLOCATION_SIZE$
+^samba4.ldap.python \(dc\).Test add_ldif\(\) with BASE64 security descriptor input using WRONG domain SID$
--
Samba Shared Repository
More information about the samba-cvs
mailing list