From c42ea90683d562d618700e0b79abe04ba9bc5b1d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 15 Mar 2022 14:01:13 +1300 Subject: [PATCH 1/8] libcli/security: Reorder SDDL access flags table to match Windows This means that encoding an ACE in string form will now match Windows. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Joseph Sutton Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224 (cherry picked from commit be1aae77b7610933b1121f207e0a4df523c2d278) --- libcli/security/sddl.c | 18 +++++++++--------- python/samba/tests/upgradeprovision.py | 20 ++++++++++---------- source4/dsdb/tests/python/sec_descriptor.py | 12 ++++++------ source4/torture/ldb/ldb.c | 18 +++++++++--------- 4 files changed, 34 insertions(+), 34 deletions(-) diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index e6c3c94f2150..6c9929053ce3 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -237,23 +237,23 @@ static const struct flag_map ace_flags[] = { }; static const struct flag_map ace_access_mask[] = { - { "RP", SEC_ADS_READ_PROP }, - { "WP", SEC_ADS_WRITE_PROP }, - { "CR", SEC_ADS_CONTROL_ACCESS }, { "CC", SEC_ADS_CREATE_CHILD }, { "DC", SEC_ADS_DELETE_CHILD }, { "LC", SEC_ADS_LIST }, + { "SW", SEC_ADS_SELF_WRITE }, + { "RP", SEC_ADS_READ_PROP }, + { "WP", SEC_ADS_WRITE_PROP }, + { "DT", SEC_ADS_DELETE_TREE }, { "LO", SEC_ADS_LIST_OBJECT }, + { "CR", SEC_ADS_CONTROL_ACCESS }, + { "SD", SEC_STD_DELETE }, { "RC", SEC_STD_READ_CONTROL }, - { "WO", SEC_STD_WRITE_OWNER }, { "WD", SEC_STD_WRITE_DAC }, - { "SD", SEC_STD_DELETE }, - { "DT", SEC_ADS_DELETE_TREE }, - { "SW", SEC_ADS_SELF_WRITE }, + { "WO", SEC_STD_WRITE_OWNER }, { "GA", SEC_GENERIC_ALL }, - { "GR", SEC_GENERIC_READ }, - { "GW", SEC_GENERIC_WRITE }, { "GX", SEC_GENERIC_EXECUTE }, + { "GW", SEC_GENERIC_WRITE }, + { "GR", SEC_GENERIC_READ }, { NULL, 0 } }; diff --git a/python/samba/tests/upgradeprovision.py b/python/samba/tests/upgradeprovision.py index 5f77a777fc91..b281ad8722fb 100644 --- a/python/samba/tests/upgradeprovision.py +++ b/python/samba/tests/upgradeprovision.py @@ -64,21 +64,21 @@ class UpgradeProvisionTestCase(TestCaseInTempDir): def test_get_diff_sds(self): domsid = security.dom_sid('S-1-5-21') - sddl = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ + sddl = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" - sddl1 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ + sddl1 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" - sddl2 = "O:BAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ + sddl2 = "O:BAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" - sddl3 = "O:SAG:BAD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ + sddl3 = "O:SAG:BAD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" - sddl4 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;BA)\ + sddl4 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;BA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" - sddl5 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ + sddl5 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" - sddl6 = "O:SAG:DUD:AI(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)\ + sddl6 = "O:SAG:DUD:AI(A;CIID;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CIID;RP LCLORC;;;AU)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)\ -(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)(AU;CIIDSA;WP;;;WD)" self.assertEqual(get_diff_sds(security.descriptor.from_sddl(sddl, domsid), @@ -96,8 +96,8 @@ class UpgradeProvisionTestCase(TestCaseInTempDir): security.descriptor.from_sddl(sddl4, domsid), domsid) txtmsg = "\tPart dacl is different between reference and current here\ - is the detail:\n\t\t(A;CI;RPWPCRCCLCLORCWOWDSW;;;BA) ACE is not present in\ - the reference\n\t\t(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA) ACE is not present in\ + is the detail:\n\t\t(A;CI;CCLCSWRPWPLOCRRCWDWO;;;BA) ACE is not present in\ + the reference\n\t\t(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA) ACE is not present in\ the current\n" self.assertEqual(txt, txtmsg) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 5410e9f72462..43fc6dc75004 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -1638,22 +1638,22 @@ class DaclDescriptorTests(DescriptorTests): self.ldb_admin.create_ou(ou_dn6) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1) - self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) + self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2) - self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) + self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3) - self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) + self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4) - self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) + self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5) - self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) + self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6) - self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) + self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) def test_215(self): diff --git a/source4/torture/ldb/ldb.c b/source4/torture/ldb/ldb.c index c170416bec42..94a89f71165a 100644 --- a/source4/torture/ldb/ldb.c +++ b/source4/torture/ldb/ldb.c @@ -375,9 +375,9 @@ static const char dda1d01d_ldif[] = "" "uSNChanged: 3467\n" "showInAdvancedViewOnly: TRUE\n" "nTSecurityDescriptor: O:S-1-5-21-2106703258-1007804629-1260019310-512G:S-1-5-2\n" -" 1-2106703258-1007804629-1260019310-512D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-\n" -" 1-5-21-2106703258-1007804629-1260019310-512)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;\n" -" SY)(A;;RPLCLORC;;;AU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828c\n" +" 1-2106703258-1007804629-1260019310-512D:AI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-\n" +" 1-5-21-2106703258-1007804629-1260019310-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;\n" +" SY)(A;;LCRPLORC;;;AU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828c\n" " c14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa\n" " 006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-\n" " 11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;\n" @@ -392,12 +392,12 @@ static const char dda1d01d_ldif[] = "" " 9e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-\n" " a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967\n" " a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0\n" -" c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc1\n" -" 4-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285\n" -" -00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU\n" -" )(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCL\n" -" CLORCWOWDSDDTSW;;;S-1-5-21-2106703258-1007804629-1260019310-519)(A;CIID;LC;;;\n" -" RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1\n" +" c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;LCRPLORC;;4828cc1\n" +" 4-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285\n" +" -00aa003049e2;RU)(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU\n" +" )(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPW\n" +" PDTLOCRSDRCWDWO;;;S-1-5-21-2106703258-1007804629-1260019310-519)(A;CIID;LC;;;\n" +" RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1\n" " -b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f3\n" " 0e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)\n" "name: dda1d01d-4bd7-4c49-a184-46f9241b560e\n" -- 2.34.1 From 2d54b99defde2f445cda92964c0b2f0b5a4714e1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 20 Mar 2023 12:04:37 +0100 Subject: [PATCH 2/8] s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly All other tests use the same logic and run before, which means the ACE is already there and is implicitly required. As we want to cleanup the ACE after each test in the next step, as the tests should not have side effects for other tests, e.g. 'blackbox.dbcheck'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 7b0d5285361e6dc40e09bc0d36bb2aae5d5a86a7) --- source4/dsdb/tests/python/sec_descriptor.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 43fc6dc75004..f9e41eddec4c 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -865,6 +865,9 @@ class OwnerGroupDescriptorTests(DescriptorTests): self.check_user_belongs(self.get_users_domain_dn(user_name), []) # Open Ldb connection with the tested user _ldb = self.get_ldb_connection(user_name, "samba123@") + # Change Schema partition descriptor + mod = "(A;;CC;;;AU)" + self.sd_utils.dacl_add_ace(self.schema_dn, mod) # Create a custom security descriptor # NB! Problematic owner part won't accept DA only !!! user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name)) -- 2.34.1 From d2ed19e0da42ce882d1521a7d0ef180ab46fcad4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 20 Mar 2023 12:04:37 +0100 Subject: [PATCH 3/8] s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit e0a8e043d339cf5e1c9b2643e6d151ab2ae81c05) --- source4/dsdb/tests/python/sec_descriptor.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index f9e41eddec4c..3732828cb9a0 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -183,6 +183,8 @@ class OwnerGroupDescriptorTests(DescriptorTests): delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) # SCHEMA + mod = "(A;CI;WDCC;;;AU)(A;;CC;;;AU)" + self.sd_utils.dacl_delete_aces(self.schema_dn, mod) # CONFIGURATION delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," + self.configuration_dn) -- 2.34.1 From 5b315897b9bd8d4a9c8dbb796b49b9beb9dce63b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 20 Mar 2023 13:02:47 +0100 Subject: [PATCH 4/8] s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 2436d621d1940f127f164ca227a14b1d9b573eb5) --- source4/dsdb/tests/python/acl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py index ee6b5ae5cf6c..2dd8c541bafa 100755 --- a/source4/dsdb/tests/python/acl.py +++ b/source4/dsdb/tests/python/acl.py @@ -5079,6 +5079,7 @@ class AclUndeleteTests(AclTests): except LdbError as e38: (num, _) = e38.args self.assertEqual(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) + self.sd_utils.dacl_delete_aces(self.base_dn, mod) class AclSPNTests(AclTests): -- 2.34.1 From abc52b46d8beba236eb9240b42ec0184e8d5c4ae Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Mar 2023 14:48:00 +0100 Subject: [PATCH 5/8] s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 6de4849f9cacbe7e08834fa340a70f7aebe9e6f9) --- source4/dsdb/tests/python/sec_descriptor.py | 298 ++++++++++---------- 1 file changed, 149 insertions(+), 149 deletions(-) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 3732828cb9a0..5c69462c69a7 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -353,7 +353,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): # User is not a member of any additional groups but default res = self.ldb_admin.search(user_dn, attrs=["*"]) res = [x.upper() for x in res[0].keys()] - self.assertFalse("MEMBEROF" in res) + self.assertNotIn("MEMBEROF", res) def check_modify_inheritance(self, _ldb, object_dn, owner_group=""): # Modify @@ -365,7 +365,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace) # Make sure the modify operation has been applied desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn) - self.assertTrue(ace in desc_sddl) + self.assertIn(ace, desc_sddl) # Make sure we have identical result for both "add" and "modify" res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) print(self._testMethodName) @@ -1276,8 +1276,8 @@ class DaclDescriptorTests(DescriptorTests): self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl) # Verify all inheritable ACEs are gone desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn) - self.assertFalse("CI" in desc_sddl) - self.assertFalse("OI" in desc_sddl) + self.assertNotIn("CI", desc_sddl) + self.assertNotIn("OI", desc_sddl) def test_200(self): """ OU with protected flag and child group. See if the group has inherit ACEs. @@ -1290,7 +1290,7 @@ class DaclDescriptorTests(DescriptorTests): self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4) # Make sure created group object contains NO inherit ACEs desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertFalse("ID" in desc_sddl) + self.assertNotIn("ID", desc_sddl) def test_201(self): """ OU with protected flag and no inherit ACEs, child group with custom descriptor. @@ -1334,17 +1334,17 @@ class DaclDescriptorTests(DescriptorTests): # Make sure created group object contains NO inherit ACEs # also make sure the added above non-inheritable ACEs are absent too desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertFalse("ID" in desc_sddl) + self.assertNotIn("ID", desc_sddl) for x in re.findall(r"\(.*?\)", mod): - self.assertFalse(x in desc_sddl) + self.assertNotIn(x, desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertFalse("ID" in desc_sddl) + self.assertNotIn("ID", desc_sddl) for x in re.findall(r"\(.*?\)", mod): - self.assertFalse(x in desc_sddl) + self.assertNotIn(x, desc_sddl) def test_203(self): """ OU with protected flag and add 'CI' ACE, child group. @@ -1366,14 +1366,14 @@ class DaclDescriptorTests(DescriptorTests): # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") - self.assertTrue(mod in desc_sddl) + self.assertIn(mod, desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) def test_204(self): """ OU with protected flag and add 'OI' ACE, child group. @@ -1395,14 +1395,14 @@ class DaclDescriptorTests(DescriptorTests): # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) + self.assertIn(mod, desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) def test_205(self): """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group. @@ -1424,14 +1424,14 @@ class DaclDescriptorTests(DescriptorTests): # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) + self.assertIn(mod, desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) def test_206(self): """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group. @@ -1453,14 +1453,14 @@ class DaclDescriptorTests(DescriptorTests): # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) + self.assertIn(mod, desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) def test_207(self): """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group. @@ -1482,14 +1482,14 @@ class DaclDescriptorTests(DescriptorTests): # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) + self.assertIn(mod, desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) def test_208(self): """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group. @@ -1511,14 +1511,14 @@ class DaclDescriptorTests(DescriptorTests): # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like - self.assertTrue(mod in desc_sddl) + self.assertIn(mod, desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue(mod in desc_sddl) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) def test_209(self): """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group. @@ -1539,16 +1539,16 @@ class DaclDescriptorTests(DescriptorTests): # Make sure created group object contains only the above inherited ACE(s) # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) - self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) + self.assertIn("(D;ID;WP;;;AU)", desc_sddl) + self.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl) try: self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) except LdbError as e: self.fail(str(e)) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue(moded in desc_sddl) - self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl) - self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) + self.assertIn(moded, desc_sddl) + self.assertIn("(D;ID;WP;;;DA)", desc_sddl) + self.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl) def test_210(self): """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored. @@ -1562,7 +1562,7 @@ class DaclDescriptorTests(DescriptorTests): self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) # Make sure created group object does not contain the ID ace desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) + self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) def test_211(self): """ Provide ACE with CO SID, should be expanded and replaced @@ -1576,8 +1576,8 @@ class DaclDescriptorTests(DescriptorTests): tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue("(D;;WP;;;DA)" in desc_sddl) - self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl) + self.assertIn("(D;;WP;;;DA)", desc_sddl) + self.assertIn("(D;CIIO;WP;;;CO)", desc_sddl) def test_212(self): """ Provide ACE with IO flag, should be ignored @@ -1593,9 +1593,9 @@ class DaclDescriptorTests(DescriptorTests): # Make sure created group object contains only the above inherited ACE(s) # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl) - self.assertFalse("(D;;WP;;;DA)" in desc_sddl) - self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl) + self.assertIn("(D;CIIO;WP;;;CO)", desc_sddl) + self.assertNotIn("(D;;WP;;;DA)", desc_sddl) + self.assertNotIn("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)", desc_sddl) def test_213(self): """ Provide ACE with IO flag, should be ignored @@ -1610,7 +1610,7 @@ class DaclDescriptorTests(DescriptorTests): # Make sure created group object contains only the above inherited ACE(s) # that we've added manually desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl) + self.assertNotIn("(D;IO;WP;;;DA)", desc_sddl) def test_214(self): """ Test behavior of ACEs containing generic rights @@ -1644,22 +1644,22 @@ class DaclDescriptorTests(DescriptorTests): desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1) self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) - self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) + self.assertIn("(A;CIIO;GA;;;DU)", desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2) self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) - self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) + self.assertIn("(A;CIIO;GA;;;DU)", desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3) self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) - self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) + self.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4) self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) - self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) + self.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5) self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) - self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) + self.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6) self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) - self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) + self.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl) def test_215(self): """ Make sure IO flag is removed in child objects @@ -1676,8 +1676,8 @@ class DaclDescriptorTests(DescriptorTests): self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc) self.ldb_admin.create_ou(ou_dn5) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5) - self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl) - self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl) + self.assertIn("(A;CIID;WP;;;DU)", desc_sddl) + self.assertNotIn("(A;CIIOID;WP;;;DU)", desc_sddl) def test_216(self): """ Make sure ID ACES provided by user are ignored @@ -1693,8 +1693,8 @@ class DaclDescriptorTests(DescriptorTests): self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) # Make sure created group object does not contain the ID ace desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) - self.assertFalse("(A;;WP;;;AU)" in desc_sddl) + self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) + self.assertNotIn("(A;;WP;;;AU)", desc_sddl) def test_217(self): """ Make sure ID ACES provided by user are not ignored if P flag is set @@ -1710,8 +1710,8 @@ class DaclDescriptorTests(DescriptorTests): self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) # Make sure created group object does not contain the ID ace desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) - self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) - self.assertTrue("(A;;WP;;;AU)" in desc_sddl) + self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) + self.assertIn("(A;;WP;;;AU)", desc_sddl) ######################################################################################## @@ -1734,11 +1734,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) # make sure we have modified the owner - self.assertTrue("O:AU" in desc_sddl) + self.assertIn("O:AU", desc_sddl) # make sure nothing else has been modified - self.assertFalse("G:AU" in desc_sddl) - self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) - self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + self.assertNotIn("G:AU", desc_sddl) + self.assertNotIn("D:(D;;CC;;;LG)", desc_sddl) + self.assertNotIn("(OU;;WP;;;AU)", desc_sddl) def test_302(self): """ Modify a descriptor with GROUP_SECURITY_INFORMATION set. @@ -1749,11 +1749,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) # make sure we have modified the group - self.assertTrue("G:AU" in desc_sddl) + self.assertIn("G:AU", desc_sddl) # make sure nothing else has been modified - self.assertFalse("O:AU" in desc_sddl) - self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) - self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + self.assertNotIn("O:AU", desc_sddl) + self.assertNotIn("D:(D;;CC;;;LG)", desc_sddl) + self.assertNotIn("(OU;;WP;;;AU)", desc_sddl) def test_303(self): """ Modify a descriptor with SACL_SECURITY_INFORMATION set. @@ -1764,11 +1764,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) # make sure we have modified the DACL - self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + self.assertIn("(D;;CC;;;LG)", desc_sddl) # make sure nothing else has been modified - self.assertFalse("O:AU" in desc_sddl) - self.assertFalse("G:AU" in desc_sddl) - self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) + self.assertNotIn("O:AU", desc_sddl) + self.assertNotIn("G:AU", desc_sddl) + self.assertNotIn("(OU;;WP;;;AU)", desc_sddl) def test_304(self): """ Modify a descriptor with SACL_SECURITY_INFORMATION set. @@ -1779,11 +1779,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) # make sure we have modified the DACL - self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + self.assertIn("(OU;;WP;;;AU)", desc_sddl) # make sure nothing else has been modified - self.assertFalse("O:AU" in desc_sddl) - self.assertFalse("G:AU" in desc_sddl) - self.assertFalse("(D;;CC;;;LG)" in desc_sddl) + self.assertNotIn("O:AU", desc_sddl) + self.assertNotIn("G:AU", desc_sddl) + self.assertNotIn("(D;;CC;;;LG)", desc_sddl) def test_305(self): """ Modify a descriptor with 0x0 set. @@ -1795,11 +1795,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"]) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) # make sure we have modified the DACL - self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + self.assertIn("(OU;;WP;;;AU)", desc_sddl) # make sure nothing else has been modified - self.assertTrue("O:AU" in desc_sddl) - self.assertTrue("G:AU" in desc_sddl) - self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + self.assertIn("O:AU", desc_sddl) + self.assertIn("G:AU", desc_sddl) + self.assertIn("(D;;CC;;;LG)", desc_sddl) def test_306(self): """ Modify a descriptor with 0xF set. @@ -1809,11 +1809,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"]) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) # make sure we have modified the DACL - self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) + self.assertIn("(OU;;WP;;;AU)", desc_sddl) # make sure nothing else has been modified - self.assertTrue("O:AU" in desc_sddl) - self.assertTrue("G:AU" in desc_sddl) - self.assertTrue("(D;;CC;;;LG)" in desc_sddl) + self.assertIn("O:AU", desc_sddl) + self.assertIn("G:AU", desc_sddl) + self.assertIn("(D;;CC;;;LG)", desc_sddl) def test_307(self): """ Read a descriptor with OWNER_SECURITY_INFORMATION @@ -1823,11 +1823,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.ldb_admin.create_ou(ou_dn) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) # make sure we have read the owner - self.assertTrue("O:" in desc_sddl) + self.assertIn("O:", desc_sddl) # make sure we have read nothing else - self.assertFalse("G:" in desc_sddl) - self.assertFalse("D:" in desc_sddl) - self.assertFalse("S:" in desc_sddl) + self.assertNotIn("G:", desc_sddl) + self.assertNotIn("D:", desc_sddl) + self.assertNotIn("S:", desc_sddl) def test_308(self): """ Read a descriptor with GROUP_SECURITY_INFORMATION @@ -1837,11 +1837,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.ldb_admin.create_ou(ou_dn) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) # make sure we have read the owner - self.assertTrue("G:" in desc_sddl) + self.assertIn("G:", desc_sddl) # make sure we have read nothing else - self.assertFalse("O:" in desc_sddl) - self.assertFalse("D:" in desc_sddl) - self.assertFalse("S:" in desc_sddl) + self.assertNotIn("O:", desc_sddl) + self.assertNotIn("D:", desc_sddl) + self.assertNotIn("S:", desc_sddl) def test_309(self): """ Read a descriptor with SACL_SECURITY_INFORMATION @@ -1851,11 +1851,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.ldb_admin.create_ou(ou_dn) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) # make sure we have read the owner - self.assertTrue("S:" in desc_sddl) + self.assertIn("S:", desc_sddl) # make sure we have read nothing else - self.assertFalse("O:" in desc_sddl) - self.assertFalse("D:" in desc_sddl) - self.assertFalse("G:" in desc_sddl) + self.assertNotIn("O:", desc_sddl) + self.assertNotIn("D:", desc_sddl) + self.assertNotIn("G:", desc_sddl) def test_310(self): """ Read a descriptor with DACL_SECURITY_INFORMATION @@ -1865,11 +1865,11 @@ class SdFlagsDescriptorTests(DescriptorTests): self.ldb_admin.create_ou(ou_dn) desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) # make sure we have read the owner - self.assertTrue("D:" in desc_sddl) + self.assertIn("D:", desc_sddl) # make sure we have read nothing else - self.assertFalse("O:" in desc_sddl) - self.assertFalse("S:" in desc_sddl) - self.assertFalse("G:" in desc_sddl) + self.assertNotIn("O:", desc_sddl) + self.assertNotIn("S:", desc_sddl) + self.assertNotIn("G:", desc_sddl) def test_311(self): sd_flags = (SECINFO_OWNER | @@ -1879,121 +1879,121 @@ class SdFlagsDescriptorTests(DescriptorTests): res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, [], controls=None) - self.assertFalse("nTSecurityDescriptor" in res[0]) + self.assertNotIn("nTSecurityDescriptor", res[0]) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["name"], controls=None) - self.assertFalse("nTSecurityDescriptor" in res[0]) + self.assertNotIn("nTSecurityDescriptor", res[0]) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["name"], controls=["sd_flags:1:%d" % (sd_flags)]) - self.assertFalse("nTSecurityDescriptor" in res[0]) + self.assertNotIn("nTSecurityDescriptor", res[0]) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, controls=["sd_flags:1:%d" % (sd_flags)]) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["*"], controls=["sd_flags:1:%d" % (sd_flags)]) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)]) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)]) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)]) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)]) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["nTSecurityDescriptor"], controls=None) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["name", "nTSecurityDescriptor"], controls=None) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["nTSecurityDescriptor", "name"], controls=None) - self.assertTrue("nTSecurityDescriptor" in res[0]) + self.assertIn("nTSecurityDescriptor", res[0]) tmp = res[0]["nTSecurityDescriptor"][0] sd = ndr_unpack(security.descriptor, tmp) sddl = sd.as_sddl(self.sd_utils.domain_sid) - self.assertTrue("O:" in sddl) - self.assertTrue("G:" in sddl) - self.assertTrue("D:" in sddl) - self.assertTrue("S:" in sddl) + self.assertIn("O:", sddl) + self.assertIn("G:", sddl) + self.assertIn("D:", sddl) + self.assertIn("S:", sddl) def test_312(self): """This search is done by the windows dc join...""" res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"], controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"]) - self.assertFalse("nTSecurityDescriptor" in res[0]) + self.assertNotIn("nTSecurityDescriptor", res[0]) class RightsAttributesTests(DescriptorTests): @@ -2068,7 +2068,7 @@ class RightsAttributesTests(DescriptorTests): attrs=["allowedChildClassesEffective"]) # there should be no allowed child classes self.assertEqual(len(res), 1) - self.assertFalse("allowedChildClassesEffective" in res[0].keys()) + self.assertNotIn("allowedChildClassesEffective", res[0].keys()) # give the user the right to create children of type user mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) self.sd_utils.dacl_add_ace(object_dn, mod) @@ -2092,7 +2092,7 @@ class RightsAttributesTests(DescriptorTests): attrs=["allowedAttributesEffective"]) # there should be no allowed attributes self.assertEqual(len(res), 1) - self.assertFalse("allowedAttributesEffective" in res[0].keys()) + self.assertNotIn("allowedAttributesEffective", res[0].keys()) # give the user the right to write displayName and managedBy mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid) @@ -2104,8 +2104,8 @@ class RightsAttributesTests(DescriptorTests): # value should only contain user and managedBy self.assertEqual(len(res), 1) self.assertEqual(len(res[0]["allowedAttributesEffective"]), 2) - self.assertTrue(b"displayName" in res[0]["allowedAttributesEffective"]) - self.assertTrue(b"managedBy" in res[0]["allowedAttributesEffective"]) + self.assertIn(b"displayName", res[0]["allowedAttributesEffective"]) + self.assertIn(b"managedBy", res[0]["allowedAttributesEffective"]) class SdAutoInheritTests(DescriptorTests): @@ -2144,8 +2144,8 @@ class SdAutoInheritTests(DescriptorTests): ou_sddl0 = ou_sd0.as_sddl(self.domain_sid) sub_sddl0 = sub_sd0.as_sddl(self.domain_sid) - self.assertFalse(ace in ou_sddl0) - self.assertFalse(ace in sub_sddl0) + self.assertNotIn(ace, ou_sddl0) + self.assertNotIn(ace, sub_sddl0) ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace + ou_sddl0[ou_sddl0.index("("):]) @@ -2179,12 +2179,12 @@ class SdAutoInheritTests(DescriptorTests): print("sub0: %s" % sub_sddl0) print("sub2: %s" % sub_sddl2) - self.assertTrue(ace in ou_sddl2) - self.assertTrue(sub_ace in sub_sddl2) + self.assertIn(ace, ou_sddl2) + self.assertIn(sub_ace, sub_sddl2) ou_usn0 = int(ou_res0[0]["uSNChanged"][0]) ou_usn2 = int(ou_res2[0]["uSNChanged"][0]) - self.assertTrue(ou_usn2 > ou_usn0) + self.assertGreater(ou_usn2, ou_usn0) sub_usn0 = int(sub_res0[0]["uSNChanged"][0]) sub_usn2 = int(sub_res2[0]["uSNChanged"][0]) -- 2.34.1 From 39c147b117cfa11a6f54e0f567070f427c4888d1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Mar 2023 14:48:00 +0100 Subject: [PATCH 6/8] s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022 We need SEC_STD_DELETE in order to run the test twice against the same server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 731c85add116b8ab192d9a2d3bc56296635a226d) --- source4/dsdb/tests/python/sec_descriptor.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index 5c69462c69a7..c8d506a76ec0 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -1623,7 +1623,7 @@ class DaclDescriptorTests(DescriptorTests): ou_dn5 = "OU=test_inherit_ou5," + ou_dn1 ou_dn6 = "OU=test_inherit_ou6," + ou_dn2 # Create inheritable-free OU - mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)" + mod = "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)" tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) mod = "D:(A;CI;GA;;;DU)" @@ -1668,7 +1668,7 @@ class DaclDescriptorTests(DescriptorTests): ou_dn1 = "OU=test_inherit_ou1," + ou_dn ou_dn5 = "OU=test_inherit_ou5," + ou_dn1 # Create inheritable-free OU - mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)" + mod = "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)" tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) mod = "D:(A;CIIO;WP;;;DU)" @@ -1684,7 +1684,7 @@ class DaclDescriptorTests(DescriptorTests): """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn - mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)" + mod = "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)" tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) # Add some custom ACE @@ -1701,7 +1701,7 @@ class DaclDescriptorTests(DescriptorTests): """ ou_dn = "OU=test_inherit_ou," + self.base_dn group_dn = "CN=test_inherit_group," + ou_dn - mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)" + mod = "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)" tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) # Add some custom ACE -- 2.34.1 From 7182cf978da7490a5111cfab05a0ab6ad9ce648d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Mar 2023 14:48:00 +0100 Subject: [PATCH 7/8] s4:dsdb/tests: add more detailed tests to sec_descriptor.py These demonstrate how inherited aces are constructed and applies per objectclass, with and without the NO_PROPAGATE_INHERIT flag. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit a0217c50e920557046628bb171f2addea2ad7416) --- .../knownfail.d/samba4.ldap.secdesc.python | 13 + source4/dsdb/tests/python/sec_descriptor.py | 501 ++++++++++++++++++ 2 files changed, 514 insertions(+) create mode 100644 selftest/knownfail.d/samba4.ldap.secdesc.python diff --git a/selftest/knownfail.d/samba4.ldap.secdesc.python b/selftest/knownfail.d/samba4.ldap.secdesc.python new file mode 100644 index 000000000000..4caef1ff2625 --- /dev/null +++ b/selftest/knownfail.d/samba4.ldap.secdesc.python @@ -0,0 +1,13 @@ +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_io_on_attribute +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_np_on_attribute +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_name_attr_objectclass_same +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_no_attr_objectclass_same +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_different +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_same +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_different +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_same +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_different +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_same +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_different +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_same +^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_oi_and_np_on_attribute diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py index c8d506a76ec0..56ad098ddeb3 100755 --- a/source4/dsdb/tests/python/sec_descriptor.py +++ b/source4/dsdb/tests/python/sec_descriptor.py @@ -1713,6 +1713,507 @@ class DaclDescriptorTests(DescriptorTests): self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) self.assertIn("(A;;WP;;;AU)", desc_sddl) + def test_ci_and_io_on_attribute(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CIOI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + mod = mod.replace(";CIOI;", ";OICIID;") # change it how it's gonna look like + self.assertIn(mod, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) + + def test_ci_and_np_on_attribute(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + mod = mod.replace(";CINP;", ";ID;") # change it how it's gonna look like + self.assertIn(mod, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertIn(mod, desc_sddl) + + def test_oi_and_np_on_attribute(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;OINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + mod = mod.replace(";OINP;", ";ID;") # change it how it's gonna look like + self.assertNotIn(mod, desc_sddl) + self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(mod, desc_sddl) + self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) + + def test_ci_ga_no_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" + modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(modob, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertIn(modob, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_ga_no_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" + modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_ga_name_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" + modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(modob, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertIn(modob, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_ga_name_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + modno = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" + modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_lc_no_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modno = "(A;ID;LC;;;DA)" + modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_lc_no_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" + modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_lc_name_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" + modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modob, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modob, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_lc_name_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" + modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertIn(modid, desc_sddl) + + def test_ci_np_ga_no_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + # Add some custom 'OA' for 'name' attribute & 'CI'+'OI' ACE + mod = "(OA;CINP;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" + modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(modob, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + + def test_ci_np_ga_no_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" + modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + + def test_ci_np_ga_name_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" + modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(modob, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertIn(modob, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + + def test_ci_np_ga_name_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + + def test_ci_np_lc_no_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modno = "(A;ID;LC;;;DA)" + modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + + def test_ci_np_lc_no_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + modno = "(A;ID;LC;;;DA)" + modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + + def test_ci_np_lc_name_attr_objectclass_same(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" + modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(modob, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertIn(modob, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) + + def test_ci_np_lc_name_attr_objectclass_different(self): + ou_dn = "OU=test_inherit_ou," + self.base_dn + group_dn = "CN=test_inherit_group," + ou_dn + # Create inheritable-free OU + self.create_clean_ou(ou_dn) + mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" + modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" + moded = "(D;;CC;;;LG)" + self.sd_utils.dacl_add_ace(ou_dn, mod) + desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) + # Create group child object + tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) + self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertNotIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + try: + self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) + except LdbError as e: + self.fail(str(e)) + desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) + self.assertIn(moded, desc_sddl) + self.assertNotIn(modno, desc_sddl) + self.assertNotIn(modid, desc_sddl) + self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) + self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) + ######################################################################################## -- 2.34.1 From 08a0b11392587d68ad9ff8467fb6ca08d490e98d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 18 Mar 2023 01:17:04 +0100 Subject: [PATCH 8/8] libcli/security: rewrite calculate_inherited_from_parent() This allows us to pass the new tests we just added. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit bb09c06d6d58a04e1d270a9f99d1179cfa9acbda) --- libcli/security/create_descriptor.c | 247 ++++++++++++++---- .../knownfail.d/samba4.ldap.secdesc.python | 13 - 2 files changed, 192 insertions(+), 68 deletions(-) delete mode 100644 selftest/knownfail.d/samba4.ldap.secdesc.python diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index ef60d847033f..947d6c19d588 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -78,7 +78,7 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) /* Not sure what this has to be, * and it does not seem to have any influence */ -static bool object_in_list(struct GUID *object_list, struct GUID *object) +static bool object_in_list(const struct GUID *object_list, const struct GUID *object) { size_t i; @@ -107,7 +107,7 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object) /* returns true if the ACE gontains generic information * that needs to be processed additionally */ -static bool desc_ace_has_generic(struct security_ace *ace) +static bool desc_ace_has_generic(const struct security_ace *ace) { if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ || ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) { @@ -155,12 +155,114 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, } for (i=0; i < acl->num_aces; i++) { - struct security_ace *ace = &acl->aces[i]; - if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) || - (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { - struct GUID inherited_object = GUID_zero(); + const struct security_ace *ace = &acl->aces[i]; + const struct GUID *inherited_object = NULL; + const struct GUID *inherited_property = NULL; + struct security_ace *tmp_ace = NULL; + bool applies = false; + bool inherited_only = false; + bool expand_ace = false; + bool expand_only = false; + + if (is_container && (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { + applies = true; + } else if (!is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + applies = true; + } + + if (!applies) { + /* + * If the ace doesn't apply to the + * current node, we should only keep + * it as SEC_ACE_FLAG_OBJECT_INHERIT + * on a container. We'll add + * SEC_ACE_FLAG_INHERITED_ACE + * and SEC_ACE_FLAG_INHERIT_ONLY below. + * + * Otherwise we should completely ignore it. + */ + if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { + continue; + } + } + + switch (ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + case SEC_ACE_TYPE_ACCESS_DENIED: + case SEC_ACE_TYPE_SYSTEM_AUDIT: + case SEC_ACE_TYPE_SYSTEM_ALARM: + case SEC_ACE_TYPE_ALLOWED_COMPOUND: + break; + + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { + inherited_property = &ace->object.object.type.type; + } + if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { + inherited_object = &ace->object.object.inherited_type.inherited_type; + } + + if (inherited_object != NULL && !object_in_list(object_list, inherited_object)) { + /* + * An explicit object class schemaId is given, + * but doesn't belong to the current object. + */ + applies = false; + } - tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, + break; + } + + if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { + if (!applies) { + /* + * If the ACE doesn't apply to + * the current object, we should + * ignore it as it should not be + * inherited any further + */ + continue; + } + /* + * We should only keep the expanded version + * of the ACE on the current object. + */ + expand_ace = true; + expand_only = true; + } else if (applies) { + /* + * We check if should also add + * the expanded version of the ACE + * in addition, in case we should + * expand generic access bits or + * special sids. + * + * In that case we need to + * keep the original ACE with + * SEC_ACE_FLAG_INHERIT_ONLY. + */ + expand_ace = desc_ace_has_generic(ace); + if (expand_ace) { + inherited_only = true; + } + } else { + /* + * If the ACE doesn't apply + * to the current object, + * we need to keep it with + * SEC_ACE_FLAG_INHERIT_ONLY + * in order to apply them to + * grandchildren + */ + inherited_only = true; + } + + if (expand_ace) { + tmp_acl->aces = talloc_realloc(tmp_acl, + tmp_acl->aces, struct security_ace, tmp_acl->num_aces+1); if (tmp_acl->aces == NULL) { @@ -168,61 +270,96 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, return NULL; } - tmp_acl->aces[tmp_acl->num_aces] = *ace; - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE; - /* remove IO flag from the child's ace */ - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY && - !desc_ace_has_generic(ace)) { - tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; - } + tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; + tmp_acl->num_aces++; - if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - case SEC_ACE_TYPE_ACCESS_DENIED: - case SEC_ACE_TYPE_SYSTEM_AUDIT: - case SEC_ACE_TYPE_SYSTEM_ALARM: - case SEC_ACE_TYPE_ALLOWED_COMPOUND: - break; - - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: - case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: - if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { - inherited_object = ace->object.object.inherited_type.inherited_type; - } + *tmp_ace = *ace; + + /* + * Expand generic access bits as well as special + * sids. + */ + desc_expand_generic(tmp_ace, owner, group); + + /* + * Expanded ACEs are marked as inherited, + * but never inherited any further to + * grandchildren. + */ + tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; + tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; + + /* + * Expanded ACEs never have an explicit + * object class schemaId, so clear it + * if present. + */ + if (inherited_object != NULL) { + tmp_ace->object.object.flags &= ~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT; + } - if (!object_in_list(object_list, &inherited_object)) { - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; + /* + * If the ACE had an explicit object class + * schemaId, but no attribute/propertySet + * we need to downgrate the _OBJECT variants + * to the normal ones. + */ + if (inherited_property == NULL) { + switch (tmp_ace->type) { + case SEC_ACE_TYPE_ACCESS_ALLOWED: + case SEC_ACE_TYPE_ACCESS_DENIED: + case SEC_ACE_TYPE_SYSTEM_AUDIT: + case SEC_ACE_TYPE_SYSTEM_ALARM: + case SEC_ACE_TYPE_ALLOWED_COMPOUND: + break; + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED; + break; + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED; + break; + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_SYSTEM_ALARM; + break; + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT; + break; } - - break; } - tmp_acl->num_aces++; - if (is_container) { - if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) && - (desc_ace_has_generic(ace))) { - tmp_acl->aces = talloc_realloc(tmp_acl, - tmp_acl->aces, - struct security_ace, - tmp_acl->num_aces+1); - if (tmp_acl->aces == NULL) { - talloc_free(tmp_ctx); - return NULL; - } - tmp_acl->aces[tmp_acl->num_aces] = *ace; - desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces], - owner, - group); - tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE; - tmp_acl->num_aces++; - } + if (expand_only) { + continue; } } + + tmp_acl->aces = talloc_realloc(tmp_acl, + tmp_acl->aces, + struct security_ace, + tmp_acl->num_aces+1); + if (tmp_acl->aces == NULL) { + talloc_free(tmp_ctx); + return NULL; + } + + tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; + tmp_acl->num_aces++; + + *tmp_ace = *ace; + tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; + + if (inherited_only) { + tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY; + } else { + tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; + } + + if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { + tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; + tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; + } } if (tmp_acl->num_aces == 0) { return NULL; diff --git a/selftest/knownfail.d/samba4.ldap.secdesc.python b/selftest/knownfail.d/samba4.ldap.secdesc.python deleted file mode 100644 index 4caef1ff2625..000000000000 --- a/selftest/knownfail.d/samba4.ldap.secdesc.python +++ /dev/null @@ -1,13 +0,0 @@ -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_io_on_attribute -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_np_on_attribute -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_name_attr_objectclass_same -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_no_attr_objectclass_same -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_different -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_same -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_different -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_same -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_different -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_same -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_different -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_same -^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_oi_and_np_on_attribute -- 2.34.1