[PATCH] Basic Ldb unittests involving nTSecurityDescriptor
Zahari Zahariev
zahari.zahariev at postpath.com
Thu Aug 13 05:51:04 MDT 2009
Provided unittests use ldb.add_ldif() and ldb.modify_ldif() member functions.
They cover cases where you provide SDDL or BASE64 input for security descriptor representation.
---
source4/lib/ldb/tests/python/ldap.py | 152 ++++++++++++++++++++++++++++++++++
1 files changed, 152 insertions(+), 0 deletions(-)
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py
index 00fb307..5587db4 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -6,12 +6,16 @@ import getopt
import optparse
import sys
import time
+import base64
sys.path.append("bin/python")
sys.path.append("../lib/subunit/python")
import samba.getopt as options
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+
from samba.auth import system_session
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
from ldb import ERR_NO_SUCH_OBJECT, ERR_ATTRIBUTE_OR_VALUE_EXISTS
@@ -1084,6 +1088,154 @@ member: CN=ldaptestutf8user èùéìòà ,CN=Users,""" + self.base_dn + """
res = ldb.search(self.base_dn, expression="objectCategory=group", scope=SCOPE_SUBTREE, attrs=["cn"], controls=["domain_scope:1"])
self.assertTrue(len(res) > 0)
+ def test_security_descriptor_add(self):
+ """ Testing self.ldb.add_ldif() for nTSecurityDescriptor """
+ user_name = "testdescriptoruser1"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ #
+ # Delete user object and test add_ldif() with SDDL security descriptor input
+ #
+ self.delete_force(self.ldb, user_dn)
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor: """ + sddl)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack( security.descriptor, desc )
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ self.assertEqual(desc_sddl, sddl)
+ #
+ # Delete user object and test add_ldif() with base64 security descriptor input
+ #
+ self.delete_force(self.ldb, user_dn)
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl( sddl, security.dom_sid('S-1-5-21') )
+ desc_base64 = base64.encodestring( ndr_pack(desc) )
+ desc_base64 = "".join(desc_base64.split("\n"))
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name + """
+nTSecurityDescriptor:: """ + desc_base64)
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack( security.descriptor, desc )
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ self.assertEqual(desc_sddl, sddl)
+
+ def test_security_descriptor_modify(self):
+ """ Testing self.ldb.modify_ldif() for nTSecurityDescriptor """
+ user_name = "testdescriptoruser2"
+ user_dn = "CN=%s,CN=Users,%s" % (user_name, self.base_dn)
+ #
+ # Delete user object and test modify_ldif() with SDDL security descriptor input
+ # Add ACE to the original descriptor test
+ #
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor: """ + sddl
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ self.assertEqual(desc_sddl, sddl)
+ #
+ # Delete user object and test modify_ldif() with SDDL security descriptor input
+ # New desctiptor test
+ #
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor: """ + sddl
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ self.assertEqual(desc_sddl, sddl)
+ #
+ # Delete user object and test modify_ldif() with BASE64 security descriptor input
+ # Add ACE to the original descriptor test
+ #
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ sddl = desc_sddl[:desc_sddl.find("(")] + "(A;;RPWP;;;AU)" + desc_sddl[desc_sddl.find("("):]
+ desc = security.descriptor.from_sddl( sddl, security.dom_sid('S-1-5-21') )
+ desc_base64 = base64.encodestring( ndr_pack(desc) )
+ desc_base64 = "".join(desc_base64.split("\n"))
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor:: """ + desc_base64
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ self.assertEqual(desc_sddl, sddl)
+ #
+ # Delete user object and test modify_ldif() with BASE64 security descriptor input
+ # New descriptor test
+ #
+ self.delete_force(self.ldb, user_dn)
+ self.ldb.add_ldif("""
+dn: """ + user_dn + """
+objectclass: user
+sAMAccountName: """ + user_name)
+ # Modify descriptor
+ sddl = "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI"
+ desc = security.descriptor.from_sddl( sddl, security.dom_sid('S-1-5-21') )
+ desc_base64 = base64.encodestring( ndr_pack(desc) )
+ desc_base64 = "".join(desc_base64.split("\n"))
+ mod = """
+dn: """ + user_dn + """
+changetype: modify
+replace: nTSecurityDescriptor
+nTSecurityDescriptor:: """ + desc_base64
+ self.ldb.modify_ldif(mod)
+ # Read modified descriptor
+ res = self.ldb.search(base=user_dn, attrs=["nTSecurityDescriptor"])
+ desc = res[0]["nTSecurityDescriptor"][0]
+ desc = ndr_unpack(security.descriptor, desc)
+ desc_sddl = desc.as_sddl(security.dom_sid('S-1-5-21'))
+ self.assertEqual(desc_sddl, sddl)
class BaseDnTests(unittest.TestCase):
def setUp(self):
--
1.5.6.3
--------------070701090608000809030707--
More information about the samba-technical
mailing list